package com.c4_soft.springaddons.security.oidc.starter.reactive;

import com.c4_soft.springaddons.security.oidc.starter.properties.CorsProperties;
import com.c4_soft.springaddons.security.oidc.starter.properties.Csrf;
import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties;
import com.c4_soft.springaddons.security.oidc.starter.reactive.client.ClientAuthorizeExchangeSpecPostProcessor;
import com.c4_soft.springaddons.security.oidc.starter.reactive.client.ClientReactiveHttpSecurityPostProcessor;
import com.c4_soft.springaddons.security.oidc.starter.reactive.resourceserver.ResourceServerAuthorizeExchangeSpecPostProcessor;
import com.c4_soft.springaddons.security.oidc.starter.reactive.resourceserver.ResourceServerReactiveHttpSecurityPostProcessor;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.context.NoOpServerSecurityContextRepository;
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
import org.springframework.security.web.server.csrf.CsrfToken;
import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestAttributeHandler;
import org.springframework.security.web.server.csrf.XorServerCsrfTokenRequestAttributeHandler;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsWebFilter;
import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* loaded from: input_file:com/c4_soft/springaddons/security/oidc/starter/reactive/ReactiveConfigurationSupport.class */
public class ReactiveConfigurationSupport {

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/c4_soft/springaddons/security/oidc/starter/reactive/ReactiveConfigurationSupport$SpaCsrfTokenRequestHandler.class */
    public static final class SpaCsrfTokenRequestHandler extends ServerCsrfTokenRequestAttributeHandler {
        private final ServerCsrfTokenRequestAttributeHandler delegate = new XorServerCsrfTokenRequestAttributeHandler();

        SpaCsrfTokenRequestHandler() {
        }

        public void handle(ServerWebExchange serverWebExchange, Mono<CsrfToken> mono) {
            this.delegate.handle(serverWebExchange, mono);
        }

        public Mono<String> resolveCsrfTokenValue(ServerWebExchange serverWebExchange, CsrfToken csrfToken) {
            return Mono.justOrEmpty(serverWebExchange.getRequest().getHeaders().getFirst(csrfToken.getHeaderName())).switchIfEmpty(this.delegate.resolveCsrfTokenValue(serverWebExchange, csrfToken));
        }
    }

    public static ServerHttpSecurity configureResourceServer(ServerHttpSecurity serverHttpSecurity, ServerProperties serverProperties, SpringAddonsOidcProperties springAddonsOidcProperties, ResourceServerAuthorizeExchangeSpecPostProcessor resourceServerAuthorizeExchangeSpecPostProcessor, ResourceServerReactiveHttpSecurityPostProcessor resourceServerReactiveHttpSecurityPostProcessor) {
        serverHttpSecurity.exceptionHandling(exceptionHandlingSpec -> {
            String str = (String) springAddonsOidcProperties.getOps().stream().map((v0) -> {
                return v0.getIss();
            }).filter(uri -> {
                return uri != null;
            }).map((v0) -> {
                return v0.toString();
            }).collect(Collectors.joining(",", "\"", "\""));
            exceptionHandlingSpec.authenticationEntryPoint((serverWebExchange, authenticationException) -> {
                ServerHttpResponse response = serverWebExchange.getResponse();
                response.setStatusCode(HttpStatus.UNAUTHORIZED);
                response.getHeaders().set("WWW-Authenticate", "OAuth realm=%s".formatted(str));
                DataBuffer wrap = response.bufferFactory().wrap(authenticationException.getMessage().getBytes(Charset.defaultCharset()));
                return response.writeWith(Mono.just(wrap)).doOnError(th -> {
                    DataBufferUtils.release(wrap);
                });
            });
        });
        configureState(serverHttpSecurity, springAddonsOidcProperties.getResourceserver().isStatlessSessions(), springAddonsOidcProperties.getResourceserver().getCsrf(), springAddonsOidcProperties.getResourceserver().getCsrfCookieName(), springAddonsOidcProperties.getResourceserver().getCsrfCookiePath());
        ArrayList arrayList = new ArrayList(springAddonsOidcProperties.getCors());
        List<CorsProperties> cors = springAddonsOidcProperties.getClient().getCors();
        List<CorsProperties> cors2 = springAddonsOidcProperties.getResourceserver().getCors();
        arrayList.addAll(cors);
        arrayList.addAll(cors2);
        configureAccess(serverHttpSecurity, springAddonsOidcProperties.getResourceserver().getPermitAll(), arrayList);
        if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) {
            serverHttpSecurity.redirectToHttps(Customizer.withDefaults());
        }
        serverHttpSecurity.authorizeExchange(authorizeExchangeSpec -> {
            resourceServerAuthorizeExchangeSpecPostProcessor.authorizeHttpRequests(authorizeExchangeSpec);
        });
        resourceServerReactiveHttpSecurityPostProcessor.process(serverHttpSecurity);
        return serverHttpSecurity;
    }

    public static ServerHttpSecurity configureClient(ServerHttpSecurity serverHttpSecurity, ServerProperties serverProperties, SpringAddonsOidcProperties springAddonsOidcProperties, ClientAuthorizeExchangeSpecPostProcessor clientAuthorizeExchangeSpecPostProcessor, ClientReactiveHttpSecurityPostProcessor clientReactiveHttpSecurityPostProcessor) {
        configureState(serverHttpSecurity, false, springAddonsOidcProperties.getClient().getCsrf(), springAddonsOidcProperties.getClient().getCsrfCookieName(), springAddonsOidcProperties.getClient().getCsrfCookiePath());
        ArrayList arrayList = new ArrayList(springAddonsOidcProperties.getCors());
        List<CorsProperties> cors = springAddonsOidcProperties.getClient().getCors();
        List<CorsProperties> cors2 = springAddonsOidcProperties.getResourceserver().getCors();
        arrayList.addAll(cors);
        arrayList.addAll(cors2);
        configureAccess(serverHttpSecurity, springAddonsOidcProperties.getClient().getPermitAll(), arrayList);
        if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) {
            serverHttpSecurity.redirectToHttps(Customizer.withDefaults());
        }
        serverHttpSecurity.authorizeExchange(authorizeExchangeSpec -> {
            clientAuthorizeExchangeSpecPostProcessor.authorizeHttpRequests(authorizeExchangeSpec);
        });
        clientReactiveHttpSecurityPostProcessor.process(serverHttpSecurity);
        return serverHttpSecurity;
    }

    public static ServerHttpSecurity configureAccess(ServerHttpSecurity serverHttpSecurity, List<String> list, List<CorsProperties> list2) {
        List list3 = list2.stream().filter(corsProperties -> {
            return (corsProperties.getAllowedMethods().contains("*") || corsProperties.getAllowedMethods().contains("OPTIONS")) && !corsProperties.isDisableAnonymousOptions();
        }).map((v0) -> {
            return v0.getPath();
        }).toList();
        if (list.size() > 0 || list3.size() > 0) {
            serverHttpSecurity.anonymous(Customizer.withDefaults());
        }
        if (list.size() > 0) {
            serverHttpSecurity.authorizeExchange(authorizeExchangeSpec -> {
                ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.pathMatchers((String[]) list.toArray(new String[0]))).permitAll();
            });
        }
        if (list3.size() > 0) {
            serverHttpSecurity.authorizeExchange(authorizeExchangeSpec2 -> {
                ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec2.pathMatchers(HttpMethod.OPTIONS, (String[]) list3.toArray(new String[0]))).permitAll();
            });
        }
        return serverHttpSecurity;
    }

    public static CorsWebFilter getCorsFilterBean(List<CorsProperties> list) {
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        for (CorsProperties corsProperties : list) {
            CorsConfiguration corsConfiguration = new CorsConfiguration();
            corsConfiguration.setAllowCredentials(corsProperties.getAllowCredentials());
            corsConfiguration.setAllowedHeaders(corsProperties.getAllowedHeaders());
            corsConfiguration.setAllowedMethods(corsProperties.getAllowedMethods());
            corsConfiguration.setAllowedOriginPatterns(corsProperties.getAllowedOriginPatterns());
            corsConfiguration.setExposedHeaders(corsProperties.getExposedHeaders());
            corsConfiguration.setMaxAge(corsProperties.getMaxAge());
            urlBasedCorsConfigurationSource.registerCorsConfiguration(corsProperties.getPath(), corsConfiguration);
        }
        return new CorsWebFilter(urlBasedCorsConfigurationSource);
    }

    public static ServerHttpSecurity configureState(ServerHttpSecurity serverHttpSecurity, boolean z, Csrf csrf, String str, String str2) {
        if (z) {
            serverHttpSecurity.securityContextRepository(NoOpServerSecurityContextRepository.getInstance());
        }
        serverHttpSecurity.csrf(csrfSpec -> {
            switch (csrf) {
                case DISABLE:
                    csrfSpec.disable();
                    return;
                case DEFAULT:
                    if (z) {
                        csrfSpec.disable();
                        return;
                    } else {
                        Customizer.withDefaults();
                        return;
                    }
                case SESSION:
                    Customizer.withDefaults();
                    return;
                case COOKIE_ACCESSIBLE_FROM_JS:
                    CookieServerCsrfTokenRepository withHttpOnlyFalse = CookieServerCsrfTokenRepository.withHttpOnlyFalse();
                    withHttpOnlyFalse.setCookiePath(str2);
                    withHttpOnlyFalse.setCookieName(str);
                    csrfSpec.csrfTokenRepository(withHttpOnlyFalse).csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler());
                    return;
                default:
                    return;
            }
        });
        return serverHttpSecurity;
    }
}
