package io.nerv.config;

import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.util.ArrayUtil;
import io.nerv.core.util.JsonUtil;
import io.nerv.properties.EvaConfig;
import io.nerv.security.entrypoint.UnauthorizedHandler;
import io.nerv.security.entrypoint.UrlAccessDeniedHandler;
import io.nerv.security.entrypoint.UrlAuthenticationFailureHandler;
import io.nerv.security.entrypoint.UrlAuthenticationSuccessHandler;
import io.nerv.security.entrypoint.UrlLogoutSuccessHandler;
import io.nerv.security.filter.JwtAuthFilter;
import io.nerv.security.provider.JwtUsernamePasswordAuthenticationFilter;
import io.nerv.security.provider.LoginAuthenticationProvider;
import io.nerv.security.provider.UrlFilterSecurityInterceptor;
import java.util.Arrays;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:io/nerv/config/WebSecurityConfig.class */
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${eva.security.anonymous}")
    private String[] anonymous;

    @Value("${eva.security.webstatic}")
    private String[] webstatic;

    @Autowired
    private EvaConfig evaConfig;

    @Autowired
    private JsonUtil jsonUtil;

    @Autowired
    private LoginAuthenticationProvider loginAuthenticationProvider;

    @Autowired
    private UrlAuthenticationSuccessHandler urlAuthenticationSuccessHandler;

    @Autowired
    private UrlAuthenticationFailureHandler urlAuthenticationFailureHandler;

    @Autowired
    private UrlLogoutSuccessHandler urlLogoutSuccessHandler;

    @Autowired
    private UrlAccessDeniedHandler urlAccessDeniedHandler;

    @Autowired
    private UnauthorizedHandler unauthorizedHandler;

    @Autowired
    private UrlFilterSecurityInterceptor urlFilterSecurityInterceptor;

    @Autowired
    @Qualifier("jwtUserDetailsService")
    private UserDetailsService userDetailsService;

    @Autowired
    private JwtAuthFilter jwtAuthFilter;

    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.authenticationProvider(this.loginAuthenticationProvider).userDetailsService(this.userDetailsService).passwordEncoder(this.bCryptPasswordEncoder);
        authenticationManagerBuilder.inMemoryAuthentication().withUser("toor").password(new BCryptPasswordEncoder().encode("nerv_toor_eva")).roles(new String[]{"ADMIN"});
    }

    @Bean
    public JwtAuthFilter authenticationTokenFilterBean() {
        return new JwtAuthFilter();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedOrigins(CollUtil.isEmpty(this.evaConfig.getJwt().getCreditUrl()) ? Arrays.asList("*") : this.evaConfig.getJwt().getCreditUrl());
        corsConfiguration.setAllowCredentials(false);
        corsConfiguration.setAllowedMethods(Arrays.asList("PUT", "DELETE", "GET", "POST", "OPTIONS"));
        corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
        corsConfiguration.setMaxAge(1800L);
        corsConfiguration.setExposedHeaders(Arrays.asList("Access-Control-Allow-Headers", "Access-Control-Allow-Methods", "Access-Control-Expose-Headers", "Access-Control-Allow-Origin", "Access-Control-Max-Age", "authorization", "auth_token", "xsrf-token", "content-type", "X-Frame-Options", "Authorization"));
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        return urlBasedCorsConfigurationSource;
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.cors().and().csrf().disable().headers().frameOptions().disable().xssProtection().block(true).and().addHeaderWriter(new StaticHeadersWriter("P3P", new String[]{"CP='CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'"})).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers(new String[]{"/swagger-resources/**"})).anonymous().antMatchers(this.anonymous)).permitAll().anyRequest()).authenticated();
        httpSecurity.logout().logoutUrl("/auth/logout").logoutSuccessHandler(this.urlLogoutSuccessHandler);
        if (this.evaConfig.getResourcePermission().isEnable()) {
            httpSecurity.addFilterAt(this.urlFilterSecurityInterceptor, FilterSecurityInterceptor.class);
        }
        httpSecurity.exceptionHandling().authenticationEntryPoint(this.unauthorizedHandler).accessDeniedHandler(this.urlAccessDeniedHandler).and().addFilterBefore(this.jwtAuthFilter, UsernamePasswordAuthenticationFilter.class).addFilterBefore(new JwtUsernamePasswordAuthenticationFilter("/auth/login", authenticationManager(), this.urlAuthenticationSuccessHandler, this.urlAuthenticationFailureHandler, this.jsonUtil), UsernamePasswordAuthenticationFilter.class);
        httpSecurity.anonymous().authorities(new String[]{"ROLE_ANONYMOUS"});
        httpSecurity.headers().frameOptions().sameOrigin().cacheControl();
    }

    public void configure(WebSecurity webSecurity) {
        WebSecurity.IgnoredRequestConfigurer ignoredRequestConfigurer = (WebSecurity.IgnoredRequestConfigurer) webSecurity.ignoring().and().ignoring().antMatchers(HttpMethod.GET, new String[]{"/", "/static/**", "/*.html", "/*.xls", "/*.xlsx", "/*.doc", "/*.docx", "/*.pdf", "/favicon.ico", "/**/*.html", "/**/*.css", "/**/*.js", "/**/swagger-resources/**", "/**/api-docs/**"});
        if (ArrayUtil.isNotEmpty(this.webstatic)) {
            ignoredRequestConfigurer.antMatchers(this.webstatic);
        }
    }
}
