package se.ikama.bauta.config;

import com.vaadin.flow.spring.security.VaadinWebSecurity;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.stream.Collectors;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Profile({"!dev"})
@EnableWebSecurity
@Configuration
/* loaded from: input_file:se/ikama/bauta/config/SecurityConfiguration.class */
public class SecurityConfiguration extends VaadinWebSecurity {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(SecurityConfiguration.class);

    @Value("${bauta.security.configFilePath:}")
    private String securityConfigFilePath;

    @Value("${bauta.security.idp.role.admin:bauta-admin}")
    private String idpRoleAdmin;

    @Value("${bauta.security.idp.pkceEnabled:false}")
    private boolean idpPkceEnabled;

    @Value("${bauta.security.idp.role.batch-view:bauta-batch-view}")
    private String idpRoleBatchView;

    @Value("${bauta.security.idp.role.batch-execute:bauta-batch-execute}")
    private String idpRoleBatchExecute;

    @Value("${bauta.security.idp.authLoginPage:/oauth2/authorization/keycloak}")
    private String idpAuthLoginPage;

    @Autowired
    ClientRegistrationRepository repo;

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        log.info("IDP roles: admin={}, batch-view={}, batch-execute={}", new Object[]{this.idpRoleAdmin, this.idpRoleBatchView, this.idpRoleBatchExecute});
        log.info("IDP auth login page: {}", this.idpAuthLoginPage);
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/static/**/*")})).permitAll();
        });
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry2.requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/reports/**/*")})).permitAll();
        });
        httpSecurity.logout(logoutConfigurer -> {
            logoutConfigurer.logoutSuccessUrl("{baseUrl}/ui/login").clearAuthentication(true).invalidateHttpSession(true).deleteCookies(new String[]{"JSESSIONID"});
        });
        httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.disable();
        });
        super.configure(httpSecurity);
        setOAuth2LoginPage(httpSecurity, this.idpAuthLoginPage, "{baseUrl}/ui/login");
        if (this.idpPkceEnabled) {
            log.info("Enabling PKCE");
            DefaultOAuth2AuthorizationRequestResolver defaultOAuth2AuthorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(this.repo, "/oauth2/authorization");
            defaultOAuth2AuthorizationRequestResolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
            httpSecurity.oauth2Login(oAuth2LoginConfigurer -> {
                oAuth2LoginConfigurer.authorizationEndpoint(authorizationEndpointConfig -> {
                    authorizationEndpointConfig.authorizationRequestResolver(defaultOAuth2AuthorizationRequestResolver);
                });
            });
        }
    }

    @Bean
    public GrantedAuthoritiesMapper userAuthoritiesMapperForKeycloak() {
        return collection -> {
            HashSet hashSet = new HashSet();
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                OAuth2UserAuthority oAuth2UserAuthority = (GrantedAuthority) it.next();
                if (oAuth2UserAuthority instanceof OidcUserAuthority) {
                    OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) oAuth2UserAuthority;
                    log.debug("OICD Authority: {}", oidcUserAuthority.getAuthority());
                    OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
                    log.debug("User info: {}", userInfo.getClaims());
                    log.debug("Id token: {}", oidcUserAuthority.getIdToken().getClaims());
                    if (userInfo.hasClaim("realm_access")) {
                        hashSet.addAll(generateAuthoritiesFromClaim((Collection) userInfo.getClaimAsMap("realm_access").get("roles")));
                    }
                } else if (oAuth2UserAuthority instanceof SimpleGrantedAuthority) {
                    log.debug("SimpleGrantedAuthority: {}", ((SimpleGrantedAuthority) oAuth2UserAuthority).getAuthority());
                } else {
                    log.debug("Mapping OAuth2 user");
                    Map attributes = oAuth2UserAuthority.getAttributes();
                    if (attributes.containsKey("realm_access")) {
                        Map map = (Map) attributes.get("realm_access");
                        if (map.containsKey("roles")) {
                            hashSet.addAll(generateAuthoritiesFromClaim((Collection) map.get("roles")));
                        }
                    }
                    if (attributes.containsKey("roles")) {
                        hashSet.addAll(generateAuthoritiesFromClaim((Collection) attributes.get("roles")));
                    }
                }
            }
            return hashSet;
        };
    }

    Collection<GrantedAuthority> generateAuthoritiesFromClaim(Collection<String> collection) {
        log.debug("Mapping roles: " + String.valueOf(collection));
        Map of = Map.of(this.idpRoleAdmin, "ROLE_ADMIN", this.idpRoleBatchView, "ROLE_BATCH_VIEW", this.idpRoleBatchExecute, "ROLE_BATCH_EXECUTE");
        Collection<GrantedAuthority> collection2 = (Collection) collection.stream().map(str -> {
            return new SimpleGrantedAuthority(of.get(str) != null ? (String) of.get(str) : str);
        }).collect(Collectors.toList());
        log.debug("Mapped roles: " + String.valueOf(collection2));
        return collection2;
    }
}
