package io.gravitee.am.management.handlers.management.api.spring.security.filter;

import io.gravitee.am.management.handlers.management.api.authentication.csrf.CookieCsrfSignedTokenRepository;
import io.gravitee.am.management.handlers.management.api.authentication.filter.BearerAuthenticationFilter;
import io.gravitee.am.management.handlers.management.api.authentication.web.Http401UnauthorizedEntryPoint;
import io.gravitee.am.management.handlers.management.api.spring.security.SecurityConfiguration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.env.Environment;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Configuration
/* loaded from: input_file:io/gravitee/am/management/handlers/management/api/spring/security/filter/ManagementSecurityConfiguration.class */
public class ManagementSecurityConfiguration extends CsrfAwareConfiguration {
    private static final String[] PATHS = {"/organizations/**", "/user/**", "/platform/**"};
    private final Http401UnauthorizedEntryPoint http401UnauthorizedEntryPoint;

    @Autowired
    public ManagementSecurityConfiguration(Environment environment, Http401UnauthorizedEntryPoint http401UnauthorizedEntryPoint) {
        super(environment);
        this.http401UnauthorizedEntryPoint = http401UnauthorizedEntryPoint;
    }

    @Bean
    @Order(102)
    public SecurityFilterChain managementSecurityFilter(HttpSecurity httpSecurity, BearerAuthenticationFilter bearerAuthenticationFilter, CookieCsrfSignedTokenRepository cookieCsrfSignedTokenRepository) throws Exception {
        AntPathRequestMatcher[] antPathRequestMatcherArr = (AntPathRequestMatcher[]) Arrays.stream(PATHS).map(AntPathRequestMatcher::antMatcher).toArray(i -> {
            return new AntPathRequestMatcher[i];
        });
        httpSecurity.securityMatchers(requestMatcherConfigurer -> {
            requestMatcherConfigurer.requestMatchers(antPathRequestMatcherArr);
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(antPathRequestMatcherArr)).authenticated();
        }).sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }).cors(corsConfigurer -> {
        }).httpBasic((v0) -> {
            v0.disable();
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(this.http401UnauthorizedEntryPoint);
        }).addFilterAfter(bearerAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        return (SecurityFilterChain) applyCsrf(csp(httpSecurity), cookieCsrfSignedTokenRepository).build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return webSecurity -> {
            webSecurity.ignoring().requestMatchers(new RequestMatcher[]{AntPathRequestMatcher.antMatcher("/openapi.json"), AntPathRequestMatcher.antMatcher("/openapi.yaml")});
        };
    }

    private HttpSecurity csp(HttpSecurity httpSecurity) throws Exception {
        if (!((Boolean) this.environment.getProperty(SecurityConfiguration.HTTP_CSP_ENABLED, Boolean.class, true)).booleanValue()) {
            return httpSecurity;
        }
        List<String> directives = getDirectives();
        if (directives.isEmpty()) {
            directives.add(SecurityConfiguration.DEFAULT_DEFAULT_SRC_CSP_DIRECTIVE);
            directives.add(SecurityConfiguration.DEFAULT_FRAME_ANCESTOR_CSP_DIRECTIVE);
        }
        return httpSecurity.headers(headersConfigurer -> {
            headersConfigurer.contentSecurityPolicy(contentSecurityPolicyConfig -> {
                contentSecurityPolicyConfig.policyDirectives(getPolicyDirectives(directives));
            });
        });
    }

    private static String getPolicyDirectives(List<String> list) {
        return (String) list.stream().map(str -> {
            return str.trim().endsWith(";") ? str : str + ";";
        }).collect(Collectors.joining(" "));
    }

    private List<String> getDirectives() {
        ArrayList arrayList = new ArrayList();
        int i = 0;
        while (true) {
            String property = getProperty(i);
            if (!Objects.nonNull(property)) {
                return arrayList;
            }
            arrayList.add(property);
            i++;
        }
    }

    private String getProperty(int i) {
        return (String) this.environment.getProperty(String.format(SecurityConfiguration.HTTP_CSP_DIRECTIVES, Integer.valueOf(i)), String.class);
    }
}
