package io.gravitee.am.management.handlers.management.api.spring.security.filter;

import com.fasterxml.jackson.databind.ObjectMapper;
import io.gravitee.am.jwt.JWTParser;
import io.gravitee.am.management.handlers.management.api.authentication.csrf.CookieCsrfSignedTokenRepository;
import io.gravitee.am.management.handlers.management.api.authentication.filter.BuiltInAuthenticationFilter;
import io.gravitee.am.management.handlers.management.api.authentication.filter.CheckAuthenticationCookieFilter;
import io.gravitee.am.management.handlers.management.api.authentication.filter.CheckRedirectUriFilter;
import io.gravitee.am.management.handlers.management.api.authentication.filter.CheckRedirectionCookieFilter;
import io.gravitee.am.management.handlers.management.api.authentication.filter.CockpitAuthenticationFilter;
import io.gravitee.am.management.handlers.management.api.authentication.filter.RecaptchaFilter;
import io.gravitee.am.management.handlers.management.api.authentication.filter.SocialAuthenticationFilter;
import io.gravitee.am.management.handlers.management.api.authentication.handler.CookieClearingLogoutHandler;
import io.gravitee.am.management.handlers.management.api.authentication.handler.CustomAuthenticationFailureHandler;
import io.gravitee.am.management.handlers.management.api.authentication.handler.CustomAuthenticationSuccessHandler;
import io.gravitee.am.management.handlers.management.api.authentication.handler.CustomLogoutSuccessHandler;
import io.gravitee.am.management.handlers.management.api.authentication.web.LoginUrlAuthenticationEntryPoint;
import io.gravitee.am.management.handlers.management.api.authentication.web.WebAuthenticationDetails;
import io.gravitee.am.management.handlers.management.api.authentication.web.XForwardedAwareRedirectStrategy;
import io.gravitee.am.management.service.OrganizationUserService;
import io.gravitee.am.service.AuditService;
import io.gravitee.am.service.ReCaptchaService;
import jakarta.servlet.Filter;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Arrays;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
/* loaded from: input_file:io/gravitee/am/management/handlers/management/api/spring/security/filter/AuthSecurityConfiguration.class */
public class AuthSecurityConfiguration extends CsrfAwareConfiguration {
    private final ApplicationEventPublisher applicationEventPublisher;
    private static final String AUTH_LOGIN = "/auth/login";
    private static final String AUTH_AUTHORIZE = "/auth/authorize";
    public static final String AUTH_COCKPIT = "/auth/cockpit";
    public static final String AUTH_LOGIN_CALLBACK = "/auth/login/callback";
    private static final String AUTH_LOGOUT = "/auth/logout";
    public static final String AUTH_ASSETS = "/auth/assets/**";
    private static final String[] MATCHER_ROUTES = {AUTH_LOGIN, AUTH_AUTHORIZE, AUTH_COCKPIT, AUTH_LOGIN_CALLBACK, AUTH_LOGOUT, AUTH_ASSETS};
    private static final String[] PERMITTED_ROUTES = {AUTH_LOGIN, AUTH_COCKPIT, AUTH_ASSETS};

    @Autowired
    public AuthSecurityConfiguration(Environment environment, ApplicationEventPublisher applicationEventPublisher) {
        super(environment);
        this.applicationEventPublisher = applicationEventPublisher;
    }

    @Bean
    @Order(100)
    public SecurityFilterChain authSecurityFilterChain(HttpSecurity httpSecurity, AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> authenticationDetailsSource, AuditService auditService, JWTParser jWTParser, OrganizationUserService organizationUserService, ReCaptchaService reCaptchaService, ObjectMapper objectMapper, CookieCsrfSignedTokenRepository cookieCsrfSignedTokenRepository) throws Exception {
        AntPathRequestMatcher[] antPathRequestMatcherArr = (AntPathRequestMatcher[]) Arrays.stream(MATCHER_ROUTES).map(AntPathRequestMatcher::antMatcher).toArray(i -> {
            return new AntPathRequestMatcher[i];
        });
        AntPathRequestMatcher[] antPathRequestMatcherArr2 = (AntPathRequestMatcher[]) Arrays.stream(PERMITTED_ROUTES).map(AntPathRequestMatcher::antMatcher).toArray(i2 -> {
            return new AntPathRequestMatcher[i2];
        });
        httpSecurity.securityMatchers(requestMatcherConfigurer -> {
            requestMatcherConfigurer.requestMatchers(antPathRequestMatcherArr);
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(antPathRequestMatcherArr2)).permitAll().anyRequest()).authenticated();
        }).formLogin(formLoginConfigurer -> {
            formLoginConfigurer.loginPage(AUTH_LOGIN).authenticationDetailsSource(authenticationDetailsSource).successHandler(authenticationSuccessHandler()).failureHandler(authenticationFailureHandler()).permitAll();
        }).logout(logoutConfigurer -> {
            logoutConfigurer.logoutRequestMatcher(new AntPathRequestMatcher(AUTH_LOGOUT)).logoutSuccessHandler(new CustomLogoutSuccessHandler(auditService, this.environment, jWTParser, organizationUserService)).addLogoutHandler(cookieClearingLogoutHandler());
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(loginUrlAuthenticationEntryPoint());
        }).cors(Customizer.withDefaults()).sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }).addFilterBefore(cockpitAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class).addFilterBefore(new RecaptchaFilter(reCaptchaService, objectMapper), AbstractPreAuthenticatedProcessingFilter.class).addFilterBefore(new CheckRedirectionCookieFilter(), AbstractPreAuthenticatedProcessingFilter.class).addFilterBefore(checkLoginRedirectUriFilter(), AbstractPreAuthenticatedProcessingFilter.class).addFilterBefore(checkLogoutRedirectUriFilter(), LogoutFilter.class).addFilterBefore(builtInAuthFilter(), AbstractPreAuthenticatedProcessingFilter.class).addFilterBefore(socialAuthFilter(), AbstractPreAuthenticatedProcessingFilter.class).addFilterBefore(checkAuthCookieFilter(), AbstractPreAuthenticatedProcessingFilter.class);
        return (SecurityFilterChain) applyCsrf(httpSecurity, cookieCsrfSignedTokenRepository).build();
    }

    @Bean
    public AuthenticationSuccessHandler authenticationSuccessHandler() {
        CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler = new CustomAuthenticationSuccessHandler();
        customAuthenticationSuccessHandler.setRedirectStrategy(redirectStrategy());
        return customAuthenticationSuccessHandler;
    }

    @Bean
    public AuthenticationFailureHandler authenticationFailureHandler() {
        CustomAuthenticationFailureHandler customAuthenticationFailureHandler = new CustomAuthenticationFailureHandler("/auth/login?error");
        customAuthenticationFailureHandler.setRedirectStrategy(redirectStrategy());
        return customAuthenticationFailureHandler;
    }

    @Bean
    public RedirectStrategy redirectStrategy() {
        return new XForwardedAwareRedirectStrategy();
    }

    @Bean
    public CockpitAuthenticationFilter cockpitAuthenticationFilter() {
        return new CockpitAuthenticationFilter();
    }

    @Bean
    public Filter checkAuthCookieFilter() {
        return new CheckAuthenticationCookieFilter();
    }

    @Bean
    public LogoutHandler cookieClearingLogoutHandler() {
        return new CookieClearingLogoutHandler();
    }

    @Bean
    public Filter checkLoginRedirectUriFilter() {
        CheckRedirectUriFilter checkRedirectUriFilter = new CheckRedirectUriFilter("/authorize");
        checkRedirectUriFilter.setParamName("redirect_uri");
        checkRedirectUriFilter.setAllowedUrls(getPropertiesAsList("http.login.allow-redirect-urls", "*"));
        return checkRedirectUriFilter;
    }

    @Bean
    public Filter checkLogoutRedirectUriFilter() {
        CheckRedirectUriFilter checkRedirectUriFilter = new CheckRedirectUriFilter("/logout");
        checkRedirectUriFilter.setParamName("target_url");
        checkRedirectUriFilter.setAllowedUrls(getPropertiesAsList("http.logout.allow-redirect-urls", "*"));
        return checkRedirectUriFilter;
    }

    @Bean
    public Filter builtInAuthFilter() {
        return new BuiltInAuthenticationFilter(new AntPathRequestMatcher(AUTH_AUTHORIZE));
    }

    @Bean
    public LoginUrlAuthenticationEntryPoint loginUrlAuthenticationEntryPoint() {
        return new LoginUrlAuthenticationEntryPoint(AUTH_LOGIN);
    }

    @Bean
    public Filter socialAuthFilter() {
        SocialAuthenticationFilter socialAuthenticationFilter = new SocialAuthenticationFilter(AUTH_LOGIN_CALLBACK);
        socialAuthenticationFilter.setApplicationEventPublisher(this.applicationEventPublisher);
        return socialAuthenticationFilter;
    }

    private List<String> getPropertiesAsList(String str, String str2) {
        return Arrays.asList(this.environment.getProperty(str, str2).replaceAll("\\s+", "").split(","));
    }
}
