package io.camunda.zeebe.shared.security;

import io.camunda.zeebe.gateway.rest.ConditionalOnRestGatewayEnabled;
import io.camunda.zeebe.gateway.rest.TenantAttributeHolder;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Condition;
import org.springframework.context.annotation.ConditionContext;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.core.annotation.Order;
import org.springframework.core.env.Environment;
import org.springframework.core.type.AnnotatedTypeMetadata;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AuthenticationFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableWebSecurity
@Configuration(proxyBeanMethods = false)
@EnableMethodSecurity
@Profile({"identity-auth"})
/* loaded from: input_file:io/camunda/zeebe/shared/security/SecurityConfiguration.class */
public class SecurityConfiguration {
    private static final Logger LOGGER = LoggerFactory.getLogger(SecurityConfiguration.class);

    /* loaded from: input_file:io/camunda/zeebe/shared/security/SecurityConfiguration$GatewaySecurityAuthenticationEnabledCondition.class */
    static class GatewaySecurityAuthenticationEnabledCondition implements Condition {
        GatewaySecurityAuthenticationEnabledCondition() {
        }

        public boolean matches(ConditionContext conditionContext, AnnotatedTypeMetadata annotatedTypeMetadata) {
            Environment environment = conditionContext.getEnvironment();
            boolean equals = "true".equals(environment.getProperty("zeebe.gateway.enable"));
            boolean z = !"none".equals(environment.getProperty("zeebe.gateway.security.authentication.mode"));
            boolean equals2 = "true".equals(environment.getProperty("zeebe.broker.gateway.enable"));
            boolean z2 = !"none".equals(environment.getProperty("zeebe.broker.gateway.security.authentication.mode"));
            warnAboutAmbiguity(equals, z2, environment);
            return (equals && z) || (equals2 && z2);
        }

        private void warnAboutAmbiguity(boolean z, boolean z2, Environment environment) {
            String property = environment.getProperty("zeebe.gateway.security.authentication.mode");
            String property2 = environment.getProperty("zeebe.broker.gateway.security.authentication.mode");
            if (z && "identity".equals(property2)) {
                SecurityConfiguration.LOGGER.warn("Standalone gateway is enabled but embedded gateway security mode is set to identity. This configuration is ambiguous. Only the standalone gateway security mode will be used.");
            }
            if (z2 && "identity".equals(property)) {
                SecurityConfiguration.LOGGER.warn("Embedded gateway is enabled but standalone gateway security mode is set to identity. This configuration is ambiguous. Only the embedded gateway security mode will be used.");
            }
        }
    }

    @Bean
    @Order(Integer.MIN_VALUE)
    public SecurityFilterChain managementSecurity(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.securityMatchers(requestMatcherConfigurer -> {
            ((HttpSecurity.RequestMatcherConfigurer) ((HttpSecurity.RequestMatcherConfigurer) requestMatcherConfigurer.requestMatchers(new RequestMatcher[]{EndpointRequest.toAnyEndpoint()})).requestMatchers(new String[]{"/ready", "/health", "/startup"})).requestMatchers(new String[]{"/error"});
        });
        return (SecurityFilterChain) configureSecurity(httpSecurity).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
        }).build();
    }

    @ConditionalOnRestGatewayEnabled
    @Conditional({GatewaySecurityAuthenticationEnabledCondition.class})
    @Bean
    public SecurityFilterChain restGatewaySecurity(HttpSecurity httpSecurity, IdentityAuthenticationManager identityAuthenticationManager, PreAuthTokenConverter preAuthTokenConverter, ProblemAuthFailureHandler problemAuthFailureHandler) throws Exception {
        AuthenticationFilter authenticationFilter = new AuthenticationFilter(identityAuthenticationManager, preAuthTokenConverter);
        authenticationFilter.setFailureHandler(problemAuthFailureHandler);
        authenticationFilter.setSuccessHandler(SecurityConfiguration::injectTenantIds);
        return (SecurityFilterChain) configureSecurity(httpSecurity).authenticationManager(identityAuthenticationManager).addFilterBefore(authenticationFilter, SecurityContextHolderAwareRequestFilter.class).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(problemAuthFailureHandler).accessDeniedHandler(problemAuthFailureHandler);
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).authenticated();
        }).build();
    }

    private static void injectTenantIds(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        if (authentication instanceof IdentityAuthentication) {
            TenantAttributeHolder.withTenantIds(((IdentityAuthentication) authentication).tenantIds());
        }
    }

    private HttpSecurity configureSecurity(HttpSecurity httpSecurity) throws Exception {
        return httpSecurity.csrf((v0) -> {
            v0.disable();
        }).cors((v0) -> {
            v0.disable();
        }).logout((v0) -> {
            v0.disable();
        }).formLogin((v0) -> {
            v0.disable();
        }).httpBasic((v0) -> {
            v0.disable();
        }).anonymous((v0) -> {
            v0.disable();
        });
    }
}
