package de.frachtwerk.essencium.backend.configuration;

import de.frachtwerk.essencium.backend.configuration.properties.LdapConfigProperties;
import de.frachtwerk.essencium.backend.configuration.properties.oauth.OAuth2ConfigProperties;
import de.frachtwerk.essencium.backend.model.AbstractBaseUser;
import de.frachtwerk.essencium.backend.model.dto.UserDto;
import de.frachtwerk.essencium.backend.security.JwtAuthenticationProvider;
import de.frachtwerk.essencium.backend.security.JwtTokenAuthenticationFilter;
import de.frachtwerk.essencium.backend.security.LdapUserContextMapper;
import de.frachtwerk.essencium.backend.security.OAuth2FailureHandler;
import de.frachtwerk.essencium.backend.security.OAuth2SuccessHandler;
import de.frachtwerk.essencium.backend.service.AbstractUserService;
import de.frachtwerk.essencium.backend.service.RoleService;
import java.io.Serializable;
import java.util.List;
import java.util.Objects;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.ldap.core.support.BaseLdapPathContextSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider;
import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient;
import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.CollectionUtils;

@EnableWebSecurity
@Configuration
/* loaded from: input_file:de/frachtwerk/essencium/backend/configuration/WebSecurityConfig.class */
public class WebSecurityConfig<USER extends AbstractBaseUser<ID>, T extends UserDto<ID>, ID extends Serializable, USERDTO extends UserDto<ID>> {
    private static final Logger LOG = LoggerFactory.getLogger(WebSecurityConfig.class);
    private static final RequestMatcher DEFAULT_PROTECTED_URLS = new OrRequestMatcher(new RequestMatcher[]{new AntPathRequestMatcher("/v1/**")});
    private static final RequestMatcher DEFAULT_PUBLIC_URLS = new OrRequestMatcher(new RequestMatcher[]{new NegatedRequestMatcher(DEFAULT_PROTECTED_URLS), new AntPathRequestMatcher("/v1/translations/**", HttpMethod.GET.name()), new AntPathRequestMatcher("/v1/reset-credentials/**"), new AntPathRequestMatcher("/v1/set-password/**"), new AntPathRequestMatcher("/v3/api-docs/**"), new AntPathRequestMatcher("/swagger-ui/**"), new AndRequestMatcher(new RequestMatcher[]{new AntPathRequestMatcher("/v1/contact/**"), new NegatedRequestMatcher(new RequestHeaderRequestMatcher("Authorization"))})});
    private final AbstractUserService<USER, ID, T> userService;
    private final RoleService roleService;
    private final ApplicationEventPublisher applicationEventPublisher;
    private final PasswordEncoder passwordEncoder;
    private final OAuth2SuccessHandler<USER, ID, USERDTO> oAuth2SuccessHandler;
    private final OAuth2FailureHandler oAuth2FailureHandler;
    private final OAuth2ConfigProperties oAuth2ConfigProperties;
    private final ProxyAuthCodeTokenClient proxyAuthCodeTokenClient;
    private final LdapConfigProperties ldapConfigProperties;
    private final LdapUserContextMapper<USER, ID, USERDTO> ldapContextMapper;
    private final BaseLdapPathContextSource ldapContextSource;

    @Bean
    protected SecurityFilterChain configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.cors(Customizer.withDefaults()).sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }).addFilterBefore(jwtTokenAuthenticationFilter(), AnonymousAuthenticationFilter.class).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{DEFAULT_PUBLIC_URLS})).permitAll().requestMatchers(new RequestMatcher[]{DEFAULT_PROTECTED_URLS})).authenticated();
        }).formLogin((v0) -> {
            v0.disable();
        }).httpBasic((v0) -> {
            v0.disable();
        }).csrf((v0) -> {
            v0.disable();
        }).logout((v0) -> {
            v0.disable();
        });
        httpSecurity.authenticationManager(authenticationManager());
        if (this.oAuth2ConfigProperties.isEnabled()) {
            httpSecurity.oauth2Login(oAuth2LoginConfigurer -> {
                oAuth2LoginConfigurer.successHandler(this.oAuth2SuccessHandler).failureHandler(this.oAuth2FailureHandler);
            });
            if (this.oAuth2ConfigProperties.isProxyEnabled()) {
                LOG.debug("Enabling OAuth client using proxy...");
                httpSecurity.oauth2Login(oAuth2LoginConfigurer2 -> {
                    oAuth2LoginConfigurer2.tokenEndpoint(tokenEndpointConfig -> {
                        tokenEndpointConfig.accessTokenResponseClient(this.proxyAuthCodeTokenClient);
                    });
                });
            }
        }
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return webSecurity -> {
            webSecurity.ignoring().requestMatchers(new RequestMatcher[]{new AndRequestMatcher(new RequestMatcher[]{DEFAULT_PUBLIC_URLS, new NegatedRequestMatcher(new OrRequestMatcher(new RequestMatcher[]{new AntPathRequestMatcher("/oauth2/**"), new AntPathRequestMatcher("/login/oauth2/**")}))})});
        };
    }

    @Bean
    protected AuthenticationManager authenticationManager() {
        ProviderManager providerManager = (this.oAuth2ConfigProperties.isEnabled() && this.ldapConfigProperties.isEnabled()) ? new ProviderManager(new AuthenticationProvider[]{daoAuthenticationProvider(), oAuth2LoginAuthenticationProvider(), oidcAuthorizationCodeAuthenticationProvider(), jwtAuthenticationProvider(), ldapAuthProvider()}) : this.oAuth2ConfigProperties.isEnabled() ? new ProviderManager(new AuthenticationProvider[]{daoAuthenticationProvider(), oAuth2LoginAuthenticationProvider(), oidcAuthorizationCodeAuthenticationProvider(), jwtAuthenticationProvider()}) : this.ldapConfigProperties.isEnabled() ? new ProviderManager(new AuthenticationProvider[]{daoAuthenticationProvider(), jwtAuthenticationProvider(), ldapAuthProvider()}) : new ProviderManager(new AuthenticationProvider[]{daoAuthenticationProvider(), jwtAuthenticationProvider()});
        providerManager.setAuthenticationEventPublisher(authenticationEventPublisher());
        return providerManager;
    }

    @Bean
    public DaoAuthenticationProvider daoAuthenticationProvider() {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(this.userService);
        daoAuthenticationProvider.setPasswordEncoder(this.passwordEncoder);
        return daoAuthenticationProvider;
    }

    @Bean
    protected JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter() {
        JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter = new JwtTokenAuthenticationFilter(DEFAULT_PROTECTED_URLS);
        jwtTokenAuthenticationFilter.setAuthenticationManager(authenticationManager());
        jwtTokenAuthenticationFilter.setAuthenticationSuccessHandler(successHandler());
        return jwtTokenAuthenticationFilter;
    }

    @Bean
    protected JwtAuthenticationProvider<USER, ID, USERDTO> jwtAuthenticationProvider() {
        return new JwtAuthenticationProvider<>();
    }

    @Bean
    protected FilterRegistrationBean<JwtTokenAuthenticationFilter> disableAutoRegistration(JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter) {
        FilterRegistrationBean<JwtTokenAuthenticationFilter> filterRegistrationBean = new FilterRegistrationBean<>(jwtTokenAuthenticationFilter, new ServletRegistrationBean[0]);
        filterRegistrationBean.setEnabled(false);
        return filterRegistrationBean;
    }

    @ConditionalOnProperty(value = {"app.auth.oauth.enabled"}, havingValue = "true")
    @Bean
    public OAuth2LoginAuthenticationProvider oAuth2LoginAuthenticationProvider() {
        return new OAuth2LoginAuthenticationProvider(new DefaultAuthorizationCodeTokenResponseClient(), new DefaultOAuth2UserService());
    }

    @ConditionalOnProperty(value = {"app.auth.oauth.enabled"}, havingValue = "true")
    @Bean
    public OidcAuthorizationCodeAuthenticationProvider oidcAuthorizationCodeAuthenticationProvider() {
        return new OidcAuthorizationCodeAuthenticationProvider(new DefaultAuthorizationCodeTokenResponseClient(), new OidcUserService());
    }

    @ConditionalOnProperty(value = {"app.auth.ldap.enabled"}, havingValue = "true")
    @Bean
    public LdapAuthenticationProvider ldapAuthProvider() {
        LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(ldapBindAuthenticator(), ldapAuthoritiesPopulator(this.ldapContextSource));
        ldapAuthenticationProvider.setUserDetailsContextMapper(this.ldapContextMapper);
        return ldapAuthenticationProvider;
    }

    @ConditionalOnProperty(value = {"app.auth.ldap.enabled"}, havingValue = "true")
    @Bean
    LdapAuthoritiesPopulator ldapAuthoritiesPopulator(BaseLdapPathContextSource baseLdapPathContextSource) {
        DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(baseLdapPathContextSource, this.ldapConfigProperties.getGroupSearchBase());
        defaultLdapAuthoritiesPopulator.setGroupSearchFilter(this.ldapConfigProperties.getGroupSearchFilter());
        defaultLdapAuthoritiesPopulator.setAuthorityMapper(map -> {
            String str;
            List list = (List) map.get(this.ldapConfigProperties.getGroupRoleAttribute());
            if (CollectionUtils.isEmpty(list) || Objects.isNull(list.get(0)) || (str = (String) this.ldapConfigProperties.getRoles().stream().filter(userRoleMapping -> {
                return userRoleMapping.getSrc().equals(list.get(0));
            }).findFirst().map((v0) -> {
                return v0.getDst();
            }).orElse(null)) == null) {
                return null;
            }
            return this.roleService.getRole(str.toUpperCase()).orElse(null);
        });
        defaultLdapAuthoritiesPopulator.setDefaultRole(this.ldapConfigProperties.getDefaultRole());
        return defaultLdapAuthoritiesPopulator;
    }

    @ConditionalOnProperty(value = {"app.auth.ldap.enabled"}, havingValue = "true")
    @Bean
    public BindAuthenticator ldapBindAuthenticator() {
        FilterBasedLdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch(this.ldapConfigProperties.getUserSearchBase(), this.ldapConfigProperties.getUserSearchFilter(), this.ldapContextSource);
        BindAuthenticator bindAuthenticator = new BindAuthenticator(this.ldapContextSource);
        bindAuthenticator.setUserSearch(filterBasedLdapUserSearch);
        return bindAuthenticator;
    }

    @Bean
    public DefaultAuthenticationEventPublisher authenticationEventPublisher() {
        return new DefaultAuthenticationEventPublisher(this.applicationEventPublisher);
    }

    @Bean
    protected AuthenticationSuccessHandler successHandler() {
        SimpleUrlAuthenticationSuccessHandler simpleUrlAuthenticationSuccessHandler = new SimpleUrlAuthenticationSuccessHandler();
        simpleUrlAuthenticationSuccessHandler.setRedirectStrategy((httpServletRequest, httpServletResponse, str) -> {
        });
        return simpleUrlAuthenticationSuccessHandler;
    }

    @Generated
    public WebSecurityConfig(AbstractUserService<USER, ID, T> abstractUserService, RoleService roleService, ApplicationEventPublisher applicationEventPublisher, PasswordEncoder passwordEncoder, OAuth2SuccessHandler<USER, ID, USERDTO> oAuth2SuccessHandler, OAuth2FailureHandler oAuth2FailureHandler, OAuth2ConfigProperties oAuth2ConfigProperties, ProxyAuthCodeTokenClient proxyAuthCodeTokenClient, LdapConfigProperties ldapConfigProperties, LdapUserContextMapper<USER, ID, USERDTO> ldapUserContextMapper, BaseLdapPathContextSource baseLdapPathContextSource) {
        this.userService = abstractUserService;
        this.roleService = roleService;
        this.applicationEventPublisher = applicationEventPublisher;
        this.passwordEncoder = passwordEncoder;
        this.oAuth2SuccessHandler = oAuth2SuccessHandler;
        this.oAuth2FailureHandler = oAuth2FailureHandler;
        this.oAuth2ConfigProperties = oAuth2ConfigProperties;
        this.proxyAuthCodeTokenClient = proxyAuthCodeTokenClient;
        this.ldapConfigProperties = ldapConfigProperties;
        this.ldapContextMapper = ldapUserContextMapper;
        this.ldapContextSource = baseLdapPathContextSource;
    }
}
