package com.erudika.para.server.security;

import com.erudika.para.core.utils.Para;
import com.typesafe.config.ConfigList;
import com.typesafe.config.ConfigObject;
import com.typesafe.config.ConfigValue;
import jakarta.annotation.security.DeclareRoles;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Objects;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
import org.springframework.security.web.firewall.DefaultHttpFirewall;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.filter.OncePerRequestFilter;

@DeclareRoles({"ROLE_USER", "ROLE_MOD", "ROLE_ADMIN", "ROLE_APP"})
@Configuration
@EnableWebSecurity
/* loaded from: input_file:com/erudika/para/server/security/SecurityConfig.class */
public class SecurityConfig {
    private static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);
    private static final String[] DEFAULT_ROLES = {"USER", "MOD", "ADMIN", "APP"};

    /* loaded from: input_file:com/erudika/para/server/security/SecurityConfig$CsrfCookieFilter.class */
    private static final class CsrfCookieFilter extends OncePerRequestFilter {
        private CsrfCookieFilter() {
        }

        protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
            ((CsrfToken) httpServletRequest.getAttribute(CsrfToken.class.getName())).getToken();
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return webSecurity -> {
            DefaultHttpFirewall defaultHttpFirewall = new DefaultHttpFirewall();
            defaultHttpFirewall.setAllowUrlEncodedSlash(true);
            webSecurity.httpFirewall(defaultHttpFirewall);
        };
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        String signinPath = Para.getConfig().signinPath();
        String signoutPath = Para.getConfig().signoutPath();
        String accessDeniedPath = Para.getConfig().accessDeniedPath();
        String signoutSuccessPath = Para.getConfig().signoutSuccessPath();
        ConfigObject protectedPaths = Para.getConfig().protectedPaths();
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/**"})).permitAll();
        });
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry2.requestMatchers(new RequestMatcher[]{IgnoredRequestMatcher.INSTANCE})).permitAll();
        });
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry3 -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry3.requestMatchers(new RequestMatcher[]{RestRequestMatcher.INSTANCE})).authenticated();
        });
        parseProtectedResources(httpSecurity, protectedPaths);
        if (Para.getConfig().csrfProtectionEnabled()) {
            CookieCsrfTokenRepository withHttpOnlyFalse = CookieCsrfTokenRepository.withHttpOnlyFalse();
            XorCsrfTokenRequestAttributeHandler xorCsrfTokenRequestAttributeHandler = new XorCsrfTokenRequestAttributeHandler();
            xorCsrfTokenRequestAttributeHandler.setCsrfRequestAttributeName("_csrf");
            Objects.requireNonNull(xorCsrfTokenRequestAttributeHandler);
            CsrfTokenRequestHandler csrfTokenRequestHandler = xorCsrfTokenRequestAttributeHandler::handle;
            httpSecurity.csrf(csrfConfigurer -> {
                csrfConfigurer.requireCsrfProtectionMatcher(CsrfProtectionRequestMatcher.INSTANCE).csrfTokenRepository(withHttpOnlyFalse).csrfTokenRequestHandler(csrfTokenRequestHandler);
            }).addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class);
        } else {
            httpSecurity.csrf(csrfConfigurer2 -> {
                csrfConfigurer2.disable();
            });
        }
        httpSecurity.sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.enableSessionUrlRewriting(false);
        });
        httpSecurity.sessionManagement(sessionManagementConfigurer2 -> {
            sessionManagementConfigurer2.sessionCreationPolicy(SessionCreationPolicy.NEVER);
        });
        httpSecurity.sessionManagement(sessionManagementConfigurer3 -> {
            sessionManagementConfigurer3.sessionAuthenticationStrategy(new NullAuthenticatedSessionStrategy());
        });
        httpSecurity.exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(new SimpleAuthenticationEntryPoint(signinPath));
        });
        httpSecurity.exceptionHandling(exceptionHandlingConfigurer2 -> {
            exceptionHandlingConfigurer2.accessDeniedHandler(new SimpleAccessDeniedHandler(accessDeniedPath));
        });
        httpSecurity.requestCache(requestCacheConfigurer -> {
            requestCacheConfigurer.requestCache(new SimpleRequestCache());
        });
        httpSecurity.logout(logoutConfigurer -> {
            logoutConfigurer.deleteCookies(new String[]{Para.getConfig().authCookieName()}).invalidateHttpSession(true).logoutUrl(signoutPath).logoutSuccessUrl(signoutSuccessPath);
        });
        httpSecurity.rememberMe(rememberMeConfigurer -> {
            rememberMeConfigurer.disable();
        });
        httpSecurity.authenticationProvider(new JWTAuthenticationProvider());
        httpSecurity.authenticationProvider(new LDAPAuthenticationProvider());
        httpSecurity.with(new JwtConfigurer(), jwtConfigurer -> {
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    private void parseProtectedResources(HttpSecurity httpSecurity, ConfigObject configObject) throws Exception {
        if (configObject == null || configObject.isEmpty()) {
            return;
        }
        for (ConfigList<ConfigList> configList : configObject.values()) {
            LinkedList linkedList = new LinkedList();
            LinkedList linkedList2 = new LinkedList();
            HashSet hashSet = new HashSet();
            for (ConfigList configList2 : configList) {
                try {
                    if (configList2 instanceof ConfigList) {
                        Iterator it = configList2.iterator();
                        while (it.hasNext()) {
                            String trim = ((String) ((ConfigValue) it.next()).unwrapped()).toUpperCase().trim();
                            HttpMethod valueOf = HttpMethod.valueOf(trim);
                            if (valueOf != null) {
                                hashSet.add(valueOf);
                            } else {
                                linkedList2.add(trim);
                            }
                        }
                    } else {
                        linkedList.add((String) configList2.unwrapped());
                    }
                } catch (Exception e) {
                    logger.error("Invalid config syntax for protected resource: {}.", configList2.render(), e);
                }
            }
            String[] strArr = linkedList2.isEmpty() ? DEFAULT_ROLES : (String[]) linkedList2.toArray(i -> {
                return new String[i];
            });
            String[] strArr2 = (String[]) linkedList.toArray(i2 -> {
                return new String[i2];
            });
            if (hashSet.isEmpty()) {
                httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                    ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(strArr2)).hasAnyRole(strArr);
                });
            } else {
                Iterator it2 = hashSet.iterator();
                while (it2.hasNext()) {
                    HttpMethod httpMethod = (HttpMethod) it2.next();
                    httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
                        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry2.requestMatchers(httpMethod, strArr2)).hasAnyRole(strArr);
                    });
                }
            }
        }
    }
}
