package io.keepup.cms.core.config;

import io.keepup.cms.core.datasource.dao.DataSourceFacade;
import java.net.URI;
import java.util.Objects;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.csrf.WebSessionServerCsrfTokenRepository;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import reactor.core.publisher.Mono;

@ConditionalOnProperty(prefix = "keepup.security", name = {"enabled"}, havingValue = "true")
@Configuration
@EnableWebFluxSecurity
/* loaded from: input_file:io/keepup/cms/core/config/SecurityConfiguration.class */
public class SecurityConfiguration {
    private static final String JSESSIONID = "JSESSIONID";
    private static final String LOGOUT_LOCATION = "%s?logout";
    private final Log log = LogFactory.getLog(getClass());
    private final DataSourceFacade dataSourceFacade;

    @Value("${keepup.security.path-matchers:/}")
    private String[] pathMatchers;

    @Value("${keepup.security.permitted-urls:/actuator/**}")
    private String[] permittedUrls;

    @Value("${keepup.security.login-url:/login}")
    private String loginUrl;

    @Value("${keepup.security.logout-url:/logout}")
    private String logoutUrl;

    @Value("${keepup.security.csrf-enabled:true}")
    private boolean csrfEnabled;

    @Value("${keepup.security.override-web-login:false}")
    private boolean overrideWebLoginForm;

    public SecurityConfiguration(DataSourceFacade dataSourceFacade) {
        this.dataSourceFacade = dataSourceFacade;
        this.log.debug("Security configuration instantiated with data source facade");
    }

    @Bean
    public WebSessionServerCsrfTokenRepository webSessionServerCsrfTokenRepository() {
        this.log.debug("Instantiating web session CSRF token repository");
        return new WebSessionServerCsrfTokenRepository();
    }

    @Profile({"security"})
    @ConditionalOnProperty(prefix = "keepup.security.default-web-filter-chain", name = {"enabled"}, havingValue = "true")
    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity serverHttpSecurity) {
        this.log.debug("Configuring server HTTP security");
        ServerHttpSecurity csrf = ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) serverHttpSecurity.authorizeExchange().pathMatchers(this.pathMatchers)).authenticated().pathMatchers((String[]) ArrayUtils.addAll(this.permittedUrls, new String[]{this.loginUrl}))).permitAll().and().formLogin().and().logout().logoutUrl(this.logoutUrl).requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, new String[]{this.logoutUrl})).logoutSuccessHandler((webFilterExchange, authentication) -> {
            return getLogoutSuccessHandler(webFilterExchange);
        }).and().csrf(csrfSpec -> {
            if (this.csrfEnabled) {
                return;
            }
            csrfSpec.disable();
        });
        return this.overrideWebLoginForm ? csrf.build() : csrf.formLogin().loginPage(this.loginUrl).and().build();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        this.log.debug("Instantiating the password encoder");
        return new BCryptPasswordEncoder();
    }

    @Bean
    public ReactiveUserDetailsService reactiveUserDetailsService() {
        this.log.debug("Instantiating the UserDetails service");
        DataSourceFacade dataSourceFacade = this.dataSourceFacade;
        Objects.requireNonNull(dataSourceFacade);
        return dataSourceFacade::getUserByName;
    }

    private Mono<Void> getLogoutSuccessHandler(WebFilterExchange webFilterExchange) {
        ServerHttpResponse response = webFilterExchange.getExchange().getResponse();
        response.setStatusCode(HttpStatus.FOUND);
        response.getHeaders().setLocation(URI.create(LOGOUT_LOCATION.formatted(this.loginUrl)));
        response.getCookies().remove(JSESSIONID);
        return webFilterExchange.getExchange().getSession().flatMap((v0) -> {
            return v0.invalidate();
        });
    }
}
