package org.hspconsortium.platform.api.oauth2;

import java.util.ArrayList;
import java.util.Iterator;
import org.apache.commons.lang3.Validate;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableResourceServer
@Profile({"default"})
@Configuration
/* loaded from: input_file:org/hspconsortium/platform/api/oauth2/OAuth2ResourceConfig.class */
public class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter {
    public static final String SECURITY_MODE_OPEN = "open";
    public static final String SECURITY_MODE_SECURED = "secured";
    public static final String SECURITY_MODE_MOCK = "mock";
    public static final String NO_ENDPOINT = "none";

    @Value("${hspc.platform.api.security.mode}")
    private String securityMode;

    @Value("${hspc.platform.api.fhir.contextPath:data}")
    private String fhirContextPath;

    @Value("${hspc.platform.api.fhir.openContextPath:none}")
    private String openContextPath;

    @Value("${hspc.platform.api.fhir.additionalPermittedEndpointPairs:none}")
    private String[] additionalPermittedEndpointPairs;

    /* loaded from: input_file:org/hspconsortium/platform/api/oauth2/OAuth2ResourceConfig$SecurityFilterChainPostProcessor.class */
    static class SecurityFilterChainPostProcessor implements BeanPostProcessor {
        private static final String SECURITY_MODE_MOCK = "mock";

        @Value("${hspc.platform.api.security.mode}")
        private String securityMode;

        SecurityFilterChainPostProcessor() {
        }

        private String getSecurityMode() {
            return this.securityMode;
        }

        public Object postProcessAfterInitialization(Object obj, String str) throws BeansException {
            if (getSecurityMode().equalsIgnoreCase("mock") && str.equals("springSecurityFilterChain")) {
                Iterator it = ((FilterChainProxy) obj).getFilterChains().iterator();
                while (it.hasNext()) {
                    Iterator it2 = ((SecurityFilterChain) it.next()).getFilters().iterator();
                    while (it2.hasNext()) {
                        if (it2.next() instanceof OAuth2AuthenticationProcessingFilter) {
                            it2.remove();
                        }
                    }
                }
            }
            return obj;
        }

        public Object postProcessBeforeInitialization(Object obj, String str) throws BeansException {
            return obj;
        }
    }

    public String getSecurityMode() {
        return this.securityMode;
    }

    public String getFhirContextPath() {
        return this.fhirContextPath;
    }

    public String getOpenContextPath() {
        return this.openContextPath;
    }

    @Bean
    public AccessTokenConverter accessTokenConverter() {
        return new HspcAccessTokenConverter();
    }

    @Bean
    public ResourceServerTokenServices remoteTokenServices(@Value("${hspc.platform.authorization.tokenCheckUrl}") String str, @Value("${hspc.platform.api.oauth2.clientId}") String str2, @Value("${hspc.platform.api.oauth2.clientSecret}") String str3) {
        if (getSecurityMode().equalsIgnoreCase(SECURITY_MODE_MOCK)) {
            return null;
        }
        RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
        remoteTokenServices.setCheckTokenEndpointUrl(str);
        remoteTokenServices.setClientId(str2);
        remoteTokenServices.setClientSecret(str3);
        remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
        return remoteTokenServices;
    }

    @Bean
    SecurityFilterChainPostProcessor securityFilterChainPostProcessor() {
        return new SecurityFilterChainPostProcessor();
    }

    @Bean
    @Order(Integer.MIN_VALUE)
    public InvalidMediaTypeFilter invalidMediaTypeFilter() {
        return new InvalidMediaTypeFilter();
    }

    @Bean
    @Order(-2147483647)
    public CorsFilter corsFilter() {
        return new CorsFilter();
    }

    public void configure(HttpSecurity httpSecurity) throws Exception {
        Validate.isTrue(this.fhirContextPath != null, "Fhir context path not specified", new Object[0]);
        httpSecurity.addFilterBefore(corsFilter(), ChannelProcessingFilter.class);
        httpSecurity.addFilterBefore(invalidMediaTypeFilter(), CorsFilter.class);
        configureHttpEndpoints(httpSecurity);
    }

    protected void configureHttpEndpoints(HttpSecurity httpSecurity) throws Exception {
        configureCustomPaths(httpSecurity);
        configureSystemEndpoints(httpSecurity);
        configureSandboxEndpoints(httpSecurity);
        configureFhirContextPath(httpSecurity);
        configureOpenContextPath(httpSecurity);
        if (!getSecurityMode().equalsIgnoreCase(SECURITY_MODE_MOCK)) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().anyRequest()).authenticated();
            return;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(new AntPathRequestMatcher("/**"));
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.requestMatcher(new OrRequestMatcher(arrayList)).authorizeRequests().antMatchers(new String[]{"/**"})).permitAll();
    }

    protected void configureCustomPaths(HttpSecurity httpSecurity) throws Exception {
    }

    protected void configureSystemEndpoints(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{"/", "/health"})).permitAll().requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/system/**", (String) null), new AntPathRequestMatcher("/terminology*", "GET"), new AntPathRequestMatcher("/terminology/**", "GET"), new AntPathRequestMatcher("/federated*", "GET"), new AntPathRequestMatcher("/test/.**", "GET")})).permitAll();
        if (this.additionalPermittedEndpointPairs == null || this.additionalPermittedEndpointPairs.length <= 0 || NO_ENDPOINT.equals(this.additionalPermittedEndpointPairs[0])) {
            return;
        }
        for (String str : this.additionalPermittedEndpointPairs) {
            String[] split = str.split("\\|");
            switch (split.length) {
                case 1:
                    ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{split[0]})).permitAll();
                    break;
                case 2:
                    ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(HttpMethod.valueOf(split[1]), new String[]{split[0]})).permitAll();
                    break;
                default:
                    throw new RuntimeException("Value [" + str + "] is not in the required format of [endpoint|HttpMethod] ex: [http://example.com|GET]");
            }
        }
    }

    protected void configureSandboxEndpoints(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{"/sandbox/**"})).permitAll();
    }

    protected void configureFhirContextPath(HttpSecurity httpSecurity) throws Exception {
        if (this.fhirContextPath == null || this.fhirContextPath.length() <= 0) {
            return;
        }
        String securityMode = getSecurityMode();
        boolean z = -1;
        switch (securityMode.hashCode()) {
            case 3357066:
                if (securityMode.equals(SECURITY_MODE_MOCK)) {
                    z = 2;
                    break;
                }
                break;
            case 3417674:
                if (securityMode.equals(SECURITY_MODE_OPEN)) {
                    z = false;
                    break;
                }
                break;
            case 1970279373:
                if (securityMode.equals(SECURITY_MODE_SECURED)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                configureOpenFHIRServer(httpSecurity, this.fhirContextPath);
                return;
            case true:
                configureSecuredFHIRServer(httpSecurity, this.fhirContextPath);
                return;
            case true:
                configureOpenFHIRServer(httpSecurity, this.fhirContextPath);
                return;
            default:
                throw new RuntimeException("Security mode must be either open or secured");
        }
    }

    protected void configureOpenContextPath(HttpSecurity httpSecurity) throws Exception {
        if (this.openContextPath == null || this.openContextPath.length() <= 0 || NO_ENDPOINT.equals(this.openContextPath)) {
            return;
        }
        configureOpenFHIRServer(httpSecurity, this.openContextPath);
    }

    protected void configureOpenFHIRServer(HttpSecurity httpSecurity, String str) throws Exception {
        if (str != null) {
            permitRegex(httpSecurity, "\\/" + str, null);
            permitRegex(httpSecurity, "\\/" + str + "\\/.*", null);
        }
    }

    protected void configureSecuredFHIRServer(HttpSecurity httpSecurity, String str) throws Exception {
        if (str == null || str.length() <= 0) {
            return;
        }
        permitRegex(httpSecurity, "\\/" + str + "\\/metadata", "GET");
        permitRegex(httpSecurity, "\\/" + str + "\\/metadata.*", "GET");
        permitRegex(httpSecurity, "\\/" + str + "\\/_services\\/smart\\/.*", null);
    }

    public void permitAntPath(HttpSecurity httpSecurity, String str, String str2) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher(str, str2)})).permitAll();
    }

    public void permitRegex(HttpSecurity httpSecurity, String str, String str2) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().requestMatchers(new RequestMatcher[]{new RegexRequestMatcher(str, str2)})).permitAll();
    }
}
