package team.sailboat.ms.ac.conf;

import jakarta.annotation.PostConstruct;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationEventPublisher;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
import org.springframework.security.oauth2.server.authorization.web.authentication.ClientSecretBasicAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.ClientSecretPostAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.DelegatingAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import team.sailboat.commons.fan.app.AppContext;
import team.sailboat.commons.fan.collection.XC;
import team.sailboat.commons.fan.dpa.DRepository;
import team.sailboat.commons.fan.lang.JCommon;
import team.sailboat.commons.ms.ac.ApiFinder4Controller;
import team.sailboat.commons.ms.ac.AppAuthenticationProvider;
import team.sailboat.commons.ms.ac.AppSignCheckerFilter;
import team.sailboat.commons.ms.ac.InnerProtectedApi;
import team.sailboat.commons.ms.crypto.RSAKeyPairMaker4JS;
import team.sailboat.commons.ms.xca.IAppSignChecker;
import team.sailboat.ms.ac.AppConfig;
import team.sailboat.ms.ac.AppConsts;
import team.sailboat.ms.ac.component.LoginUserRegisterRepo;
import team.sailboat.ms.ac.component.OAuth2AuthorizationCodeRequestAuthenticationProvider;
import team.sailboat.ms.ac.component.UserAuthoritiesChangeMonitor;
import team.sailboat.ms.ac.dbean.ClientApp;
import team.sailboat.ms.ac.filter.PasswordDecorderFilter;
import team.sailboat.ms.ac.filter.ResetExpiredPasswdFilter;
import team.sailboat.ms.ac.frame.CustomAuthenticationFailureHandler;
import team.sailboat.ms.ac.frame.CustomAuthenticationSuccessHandler;
import team.sailboat.ms.ac.oauth2server.AppSignAuthConverter;
import team.sailboat.ms.ac.oauth2server.CorsTokenAuthenticationConverter;
import team.sailboat.ms.ac.oauth2server.CorsTokenAuthenticationProvider;
import team.sailboat.ms.ac.plugin.LoginComponentProvider;
import team.sailboat.ms.ac.utils.LoginFailStore;

@EnableWebSecurity
@Configuration(proxyBeanMethods = false)
@EnableMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:team/sailboat/ms/ac/conf/SecurityConfig.class */
public class SecurityConfig {
    final Logger mLogger = LoggerFactory.getLogger(getClass());

    @Autowired
    AppConfig mAppConfig;

    @Autowired
    RSAKeyPairMaker4JS mRSAMaker;

    @Autowired
    DRepository mRepo;

    @Autowired
    @Qualifier("resetPasswdUsernames")
    Map<String, String> mResetPasswdUserNames;

    @Autowired
    LoginFailStore mLoginFailStore;

    @Autowired
    OAuth2AuthorizationServerConfigurer mAuthorizationServerConfigurer;

    @Autowired
    OAuth2AuthorizationCodeRequestAuthenticationProvider mAuthCodePvd;

    @Autowired
    DaoAuthenticationProvider mUserPswdAuthPvd;
    String[] mOpenApiPaths;

    @PostConstruct
    void _init() {
        Set apiPaths = ApiFinder4Controller.getApiPaths(InnerProtectedApi.class, (String[]) AppContext.get("ControllerPackages"));
        XC.addAll(apiPaths, new String[]{"/", "/foreign/**", "/index", "/error", "/error_view", "/dingLogin", AppConsts.sViewPath_login, AppConsts.sPagePath_ResetExpiredPasswd, "/creteNewAccount/ofDing", "/bindAccount/ding", "/assets/**", "/public/**"});
        this.mOpenApiPaths = (String[]) apiPaths.toArray(JCommon.sEmptyStringArray);
    }

    @Bean
    @Order(Integer.MIN_VALUE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity httpSecurity, RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationConsentService oAuth2AuthorizationConsentService, LoginUserRegisterRepo loginUserRegisterRepo, AuthenticationEventPublisher authenticationEventPublisher, OAuth2AuthorizationService oAuth2AuthorizationService, IAppSignChecker iAppSignChecker, AppAuthenticationProvider appAuthenticationProvider, UserAuthoritiesChangeMonitor userAuthoritiesChangeMonitor) throws Exception {
        String str = "/manage";
        httpSecurity.addFilterBefore(new PasswordDecorderFilter(AppConsts.sApiPath_login, this.mRSAMaker, this.mLoginFailStore), UsernamePasswordAuthenticationFilter.class);
        new LoginComponentProvider().injectLoginFilters(httpSecurity, "/manage");
        httpSecurity.addFilterBefore(new AppSignCheckerFilter(iAppSignChecker, appAuthenticationProvider), PasswordDecorderFilter.class);
        httpSecurity.addFilterBefore(new ResetExpiredPasswdFilter(this.mResetPasswdUserNames), AppSignCheckerFilter.class);
        RequestMatcher endpointsMatcher = this.mAuthorizationServerConfigurer.getEndpointsMatcher();
        CorsTokenAuthenticationProvider corsTokenAuthenticationProvider = new CorsTokenAuthenticationProvider(registeredClientRepository, oAuth2AuthorizationService, str2 -> {
            ClientApp clientApp = (ClientApp) this.mRepo.getByBid(ClientApp.class, str2);
            if (clientApp == null) {
                return null;
            }
            return clientApp.getAppSecret();
        });
        this.mAuthorizationServerConfigurer.authorizationEndpoint(oAuth2AuthorizationEndpointConfigurer -> {
            oAuth2AuthorizationEndpointConfigurer.authenticationProvider(this.mUserPswdAuthPvd);
            oAuth2AuthorizationEndpointConfigurer.authenticationProvider(this.mAuthCodePvd);
            oAuth2AuthorizationEndpointConfigurer.authenticationProvider(corsTokenAuthenticationProvider);
            httpSecurity.setSharedObject(OAuth2AuthorizationService.class, oAuth2AuthorizationService);
        });
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(this.mOpenApiPaths)).permitAll().anyRequest()).authenticated();
        }).csrf(csrfConfigurer -> {
            csrfConfigurer.ignoringRequestMatchers(new String[]{"/public/**", "/foreign/**", "/token/cors"}).ignoringRequestMatchers(new RequestMatcher[]{endpointsMatcher});
        }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
            });
        }).apply(this.mAuthorizationServerConfigurer);
        CustomAuthenticationFailureHandler customAuthenticationFailureHandler = new CustomAuthenticationFailureHandler(this.mResetPasswdUserNames, this.mLoginFailStore);
        customAuthenticationFailureHandler.setDefaultFailureUrl(AppConsts.sViewPath_loginFailure);
        SecurityFilterChain securityFilterChain = (SecurityFilterChain) httpSecurity.sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
        }).formLogin(formLoginConfigurer -> {
            formLoginConfigurer.loginPage(AppConsts.sViewPath_login).loginProcessingUrl(AppConsts.sApiPath_login).defaultSuccessUrl(str).failureHandler(customAuthenticationFailureHandler).successHandler(new CustomAuthenticationSuccessHandler(this.mLoginFailStore));
        }).logout(logoutConfigurer -> {
            logoutConfigurer.logoutUrl("/logout").invalidateHttpSession(true).logoutSuccessUrl(AppConsts.sViewPath_login).logoutSuccessHandler(userAuthoritiesChangeMonitor).deleteCookies(new String[]{"JSESSIONID"}).logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"));
        }).build();
        corsTokenAuthenticationProvider.setAccessTokenGenerator((OAuth2TokenGenerator) httpSecurity.getSharedObject(OAuth2TokenGenerator.class));
        List<OAuth2TokenEndpointFilter> filters = securityFilterChain.getFilters();
        if (XC.isNotEmpty(filters)) {
            for (OAuth2TokenEndpointFilter oAuth2TokenEndpointFilter : filters) {
                if (oAuth2TokenEndpointFilter instanceof OAuth2ClientAuthenticationFilter) {
                    ((OAuth2ClientAuthenticationFilter) oAuth2TokenEndpointFilter).setAuthenticationConverter(new DelegatingAuthenticationConverter(Arrays.asList(new AppSignAuthConverter(iAppSignChecker, appAuthenticationProvider), new ClientSecretBasicAuthenticationConverter(), new ClientSecretPostAuthenticationConverter())));
                } else if (oAuth2TokenEndpointFilter instanceof OAuth2TokenEndpointFilter) {
                    oAuth2TokenEndpointFilter.setAuthenticationConverter(new DelegatingAuthenticationConverter(Arrays.asList(new OAuth2AuthorizationCodeAuthenticationConverter(), new OAuth2RefreshTokenAuthenticationConverter(), new OAuth2ClientCredentialsAuthenticationConverter(), new CorsTokenAuthenticationConverter())));
                }
            }
        }
        ((ProviderManager) httpSecurity.getSharedObject(AuthenticationManager.class)).setAuthenticationEventPublisher(authenticationEventPublisher);
        return securityFilterChain;
    }
}
