package org.sdase.commons.spring.boot.web.auth;

import java.util.List;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.util.StringUtils;

@EnableWebSecurity
@AutoConfiguration
@ComponentScan
@Order(1)
/* loaded from: input_file:org/sdase/commons/spring/boot/web/auth/SdaSecurityConfiguration.class */
public class SdaSecurityConfiguration {
    private static final Logger LOG = LoggerFactory.getLogger(SdaSecurityConfiguration.class);
    private final String issuers;
    private final boolean disableAuthentication;
    private final SdaAccessDecisionManager sdaAccessDecisionManager;

    public SdaSecurityConfiguration(@Value("${auth.issuers:}") String str, @Value("${auth.disable:false}") boolean z, SdaAccessDecisionManager sdaAccessDecisionManager) {
        this.issuers = str;
        this.disableAuthentication = z;
        this.sdaAccessDecisionManager = sdaAccessDecisionManager;
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        if (this.disableAuthentication) {
            LOG.warn("Authentication is disabled. This setting should NEVER be used in production.");
            noAuthentication(httpSecurity);
        } else {
            LOG.info("Configured to accept these issuers: {}", this.issuers);
            oidcAuthentication(httpSecurity);
        }
        return (SecurityFilterChain) httpSecurity.build();
    }

    private void oidcAuthentication(HttpSecurity httpSecurity) throws Exception {
        AuthenticationManagerResolver<HttpServletRequest> createAuthenticationManagerResolver = createAuthenticationManagerResolver();
        httpSecurity.csrf().disable().authorizeRequests(expressionInterceptUrlRegistry -> {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.anyRequest()).permitAll().accessDecisionManager(this.sdaAccessDecisionManager);
        }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.authenticationManagerResolver(createAuthenticationManagerResolver);
        });
    }

    private AuthenticationManagerResolver<HttpServletRequest> createAuthenticationManagerResolver() {
        List<String> commaSeparatedStringToList = commaSeparatedStringToList(this.issuers);
        if (!commaSeparatedStringToList.isEmpty()) {
            return new JwtIssuerAuthenticationManagerResolver(commaSeparatedStringToList);
        }
        LOG.warn("No trusted issuers configured, anonymous requests allowed.");
        return onlyAnonymousAuthenticationManagerResolver();
    }

    private AuthenticationManagerResolver<HttpServletRequest> onlyAnonymousAuthenticationManagerResolver() {
        return httpServletRequest -> {
            return authentication -> {
                if (authentication instanceof AnonymousAuthenticationToken) {
                    return authentication;
                }
                throw new BadCredentialsException("Invalid authentication");
            };
        };
    }

    private void noAuthentication(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf().disable().authorizeRequests(expressionInterceptUrlRegistry -> {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.anyRequest()).permitAll().accessDecisionManager(this.sdaAccessDecisionManager);
        });
    }

    private List<String> commaSeparatedStringToList(String str) {
        return Stream.of((Object[]) str.split(",")).filter(StringUtils::hasText).map((v0) -> {
            return v0.trim();
        }).toList();
    }
}
