package io.gravitee.am.management.handlers.management.api.spring.security;

import io.gravitee.am.management.handlers.management.api.authentication.csrf.CookieCsrfSignedTokenRepository;
import io.gravitee.am.management.handlers.management.api.authentication.filter.JWTAuthenticationFilter;
import io.gravitee.am.management.handlers.management.api.authentication.handler.CustomRequestRejectedHandler;
import io.gravitee.am.management.handlers.management.api.authentication.manager.idp.IdentityProviderManager;
import io.gravitee.am.management.handlers.management.api.authentication.provider.generator.JWTGenerator;
import io.gravitee.am.management.handlers.management.api.authentication.provider.generator.RedirectCookieGenerator;
import io.gravitee.am.management.handlers.management.api.authentication.provider.security.ManagementAuthenticationProvider;
import io.gravitee.am.management.handlers.management.api.authentication.web.WebAuthenticationDetails;
import io.gravitee.am.management.handlers.management.api.authentication.web.WebAuthenticationDetailsSource;
import io.gravitee.am.management.handlers.management.api.spring.security.filter.AuthSecurityConfiguration;
import io.gravitee.am.management.handlers.management.api.spring.security.filter.ManagementSecurityConfiguration;
import io.gravitee.am.management.handlers.management.api.spring.security.filter.TokenSecurityConfiguration;
import jakarta.servlet.Filter;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Arrays;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.firewall.RequestRejectedHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@Configuration
@EnableWebSecurity
@ComponentScan({"io.gravitee.am.management.handlers.management.api.authentication"})
@Import({AuthSecurityConfiguration.class, TokenSecurityConfiguration.class, ManagementSecurityConfiguration.class})
/* loaded from: input_file:io/gravitee/am/management/handlers/management/api/spring/security/SecurityConfiguration.class */
public class SecurityConfiguration {
    public static final String HTTP_CSP_ENABLED = "http.csp.enabled";
    public static final String DEFAULT_DEFAULT_SRC_CSP_DIRECTIVE = "default-src self;";
    public static final String DEFAULT_FRAME_ANCESTOR_CSP_DIRECTIVE = "frame-ancestors 'none';";
    public static final String HTTP_CSP_DIRECTIVES = "http.csp.directives[%d]";

    @Autowired
    private Environment environment;

    @Autowired
    private IdentityProviderManager identityProviderManager;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder) {
        authenticationManagerBuilder.authenticationProvider(userAuthenticationProvider());
    }

    @Bean
    public ManagementAuthenticationProvider userAuthenticationProvider() {
        ManagementAuthenticationProvider managementAuthenticationProvider = new ManagementAuthenticationProvider();
        managementAuthenticationProvider.setIdentityProviderManager(this.identityProviderManager);
        return managementAuthenticationProvider;
    }

    @Bean
    public JWTGenerator jwtCookieGenerator() {
        return new JWTGenerator();
    }

    @Bean
    public RedirectCookieGenerator redirectCookieGenerator() {
        return new RedirectCookieGenerator();
    }

    @Bean
    public AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> authenticationDetailsSource() {
        return new WebAuthenticationDetailsSource();
    }

    @Bean
    public Filter jwtAuthenticationFilter() {
        return new JWTAuthenticationFilter(new AntPathRequestMatcher("/**"));
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowCredentials(true);
        corsConfiguration.setAllowedOriginPatterns(getPropertiesAsList("http.cors.allow-origin", "*"));
        corsConfiguration.setAllowedHeaders(getPropertiesAsList("http.cors.allow-headers", "Cache-Control, Pragma, Origin, Authorization, Content-Type, X-Requested-With, If-Match, X-Xsrf-Token"));
        corsConfiguration.setAllowedMethods(getPropertiesAsList("http.cors.allow-methods", "OPTIONS, GET, POST, PUT, PATCH, DELETE"));
        corsConfiguration.setExposedHeaders(getPropertiesAsList("http.cors.exposed-headers", "ETag, X-Xsrf-Token"));
        corsConfiguration.setMaxAge((Long) this.environment.getProperty("http.cors.max-age", Long.class, 1728000L));
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        return urlBasedCorsConfigurationSource;
    }

    @Bean
    public CookieCsrfSignedTokenRepository cookieCsrfSignedTokenRepository() {
        return new CookieCsrfSignedTokenRepository();
    }

    @Bean
    public RequestRejectedHandler requestRejectedHandler() {
        return new CustomRequestRejectedHandler();
    }

    private List<String> getPropertiesAsList(String str, String str2) {
        return Arrays.asList(this.environment.getProperty(str, str2).replaceAll("\\s+", "").split(","));
    }
}
