package hu.perit.spvitamin.spring.security.auth;

import hu.perit.spvitamin.spring.config.AdminProperties;
import hu.perit.spvitamin.spring.config.SecurityProperties;
import hu.perit.spvitamin.spring.config.SpringContext;
import hu.perit.spvitamin.spring.config.SwaggerProperties;
import hu.perit.spvitamin.spring.config.SysConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableWebSecurity
@Configuration
/* loaded from: input_file:hu/perit/spvitamin/spring/security/auth/SpvitaminWebSecurityConfig.class */
public class SpvitaminWebSecurityConfig {
    private static final Logger log = LoggerFactory.getLogger(SpvitaminWebSecurityConfig.class);

    @DependsOn({"serverProperties"})
    @Bean
    @Order(997)
    public SecurityFilterChain configureLogoutRestEndpoint(HttpSecurity httpSecurity) throws Exception {
        log.info("logout URL: POST {}{}", SysConfig.getServerProperties().getServiceUrl(), "/api/spvitamin/logout");
        SimpleHttpSecurityBuilder.newInstance(httpSecurity).scope((RequestMatcher) new AntPathRequestMatcher("/api/spvitamin/logout", "POST")).authorizeRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
        }).and().logout(logoutConfigurer -> {
            logoutConfigurer.logoutUrl("/api/spvitamin/logout").invalidateHttpSession(true).deleteCookies(new String[]{"JSESSIONID"}).logoutSuccessHandler((httpServletRequest, httpServletResponse, authentication) -> {
                log.info("logout success");
            });
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    @Order(998)
    public SecurityFilterChain configureAdminRestEndpoints(HttpSecurity httpSecurity) throws Exception {
        SimpleHttpSecurityBuilder.newInstance(httpSecurity).scope("/api/spvitamin/admin/**", "/api/spvitamin/keystore/**", "/api/spvitamin/truststore/**").authorizeRequests(this::authAdminRestEndpoints).authorizeRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).authenticated();
        }).ignorePersistedSecurity().jwtAuth();
        return (SecurityFilterChain) httpSecurity.build();
    }

    private void authAdminRestEndpoints(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        SecurityProperties securityProperties = SysConfig.getSecurityProperties();
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{String.format("/api/spvitamin/admin/version", new Object[0]), String.format("/api/spvitamin/admin/csp_violations", new Object[0])})).permitAll();
        AuthorizeHttpRequestsConfigurer.AuthorizedUrl authorizedUrl = (AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/api/spvitamin/admin/settings", "/api/spvitamin/admin/shutdown", "/api/spvitamin/keystore/**", "/api/spvitamin/truststore/**"});
        if ("*".equals(securityProperties.getAdminEndpointsAccess())) {
            authorizedUrl.permitAll();
        } else {
            authorizedUrl.hasRole(securityProperties.getAdminEndpointsAccess());
        }
    }

    @Bean
    @Order(999)
    public SecurityFilterChain configureAllOthers(HttpSecurity httpSecurity) throws Exception {
        SimpleHttpSecurityBuilder.newInstance(httpSecurity).defaults().logout().allowFrames().authorizeRequests(this::authorizeSwagger).authorizeRequests(this::authorizeActuator).authorizeRequests(this::authorizeAdminGui).authorizeRequests(this::permitEndpoints).authorizeRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).authenticated();
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    private void permitEndpoints(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/h2/**", "/error", "/logout"})).permitAll();
    }

    private void authorizeAdminGui(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        SecurityProperties securityProperties = SysConfig.getSecurityProperties();
        AdminProperties adminProperties = SysConfig.getAdminProperties();
        AuthorizeHttpRequestsConfigurer.AuthorizedUrl authorizedUrl = adminProperties.getAdminGuiUrl().isBlank() ? (AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/", "/*.*", "/css/**", "/assets/**"}) : (AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/", String.format("%s/**", adminProperties.getAdminGuiUrl())});
        if ("*".equals(securityProperties.getAdminGuiAccess())) {
            authorizedUrl.permitAll();
        } else {
            authorizedUrl.hasRole(securityProperties.getAdminGuiAccess());
        }
    }

    private void authorizeActuator(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        SecurityProperties securityProperties = SysConfig.getSecurityProperties();
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/actuator/health/**", "/actuator/prometheus"})).permitAll();
        AuthorizeHttpRequestsConfigurer.AuthorizedUrl authorizedUrl = (AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/actuator/**"});
        if ("*".equals(securityProperties.getManagementEndpointsAccess())) {
            authorizedUrl.permitAll();
        } else {
            authorizedUrl.hasRole(securityProperties.getManagementEndpointsAccess());
        }
    }

    private void authorizeSwagger(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        SecurityProperties securityProperties = SysConfig.getSecurityProperties();
        SwaggerProperties swaggerProperties = (SwaggerProperties) SpringContext.getBean(SwaggerProperties.class);
        AuthorizeHttpRequestsConfigurer.AuthorizedUrl authorizedUrl = (AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{swaggerProperties.getSwaggerUi().getPath() + "/**", swaggerProperties.getApiDocs().getPath() + "/**"});
        if ("*".equals(securityProperties.getSwaggerAccess())) {
            authorizedUrl.permitAll();
        } else {
            authorizedUrl.hasRole(securityProperties.getSwaggerAccess());
        }
    }
}
