package org.hspconsortium.platform.api.oauth2;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableResourceServer
@Configuration
/* loaded from: input_file:org/hspconsortium/platform/api/oauth2/OAuth2ResourceConfig.class */
public class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter {
    private static final String SECURITY_MODE_OPEN = "open";
    private static final String SECURITY_MODE_SECURED = "secured";

    @Value("${hspc.platform.api.security.mode}")
    private String securityMode;

    @Bean
    public AccessTokenConverter accessTokenConverter() {
        return new ScopeAsStringAccessTokenConverter();
    }

    @Bean
    public RemoteTokenServices remoteTokenServices(@Value("${hspc.platform.authorization.tokenCheckUrl}") String str, @Value("${hspc.platform.api.oauth2.clientId}") String str2, @Value("${hspc.platform.api.oauth2.clientSecret}") String str3) {
        RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
        remoteTokenServices.setCheckTokenEndpointUrl(str);
        remoteTokenServices.setClientId(str2);
        remoteTokenServices.setClientSecret(str3);
        remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
        return remoteTokenServices;
    }

    @Bean
    @Order(Integer.MIN_VALUE)
    public CorsFilter corsFilter() {
        return new CorsFilter();
    }

    public void configure(HttpSecurity httpSecurity) throws Exception {
        String str = this.securityMode;
        boolean z = -1;
        switch (str.hashCode()) {
            case 3417674:
                if (str.equals(SECURITY_MODE_OPEN)) {
                    z = false;
                    break;
                }
                break;
            case 1970279373:
                if (str.equals(SECURITY_MODE_SECURED)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.addFilterBefore(corsFilter(), ChannelProcessingFilter.class).authorizeRequests().anyRequest()).permitAll();
                return;
            case true:
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.addFilterBefore(corsFilter(), ChannelProcessingFilter.class).authorizeRequests().antMatchers(new String[]{"/", "/health"})).permitAll().requestMatchers(new RequestMatcher[]{new RegexRequestMatcher("\\/data\\/metadata", "GET"), new RegexRequestMatcher("\\/data\\/_services\\/smart\\/.*", "GET"), new RegexRequestMatcher("\\/data\\/_services\\/smart\\/.*", "POST"), new RegexRequestMatcher("\\/terminology\\/.*", "GET"), new RegexRequestMatcher("\\/federated\\/.*", "GET")})).permitAll().requestMatchers(new RequestMatcher[]{new RegexRequestMatcher("\\/\\w+\\/data\\/metadata", "GET"), new RegexRequestMatcher("\\/\\w+\\/data\\/_services\\/smart\\/.*", "GET"), new RegexRequestMatcher("\\/\\w+\\/data\\/_services\\/smart\\/.*", "POST")})).permitAll().anyRequest()).authenticated();
                return;
            default:
                throw new RuntimeException("Security mode must be either open or secured");
        }
    }
}
