package io.dialob.boot.security;

import com.nimbusds.jwt.proc.JWTProcessor;
import io.dialob.security.aws.elb.ElbAuthenticationStrategy;
import io.dialob.security.aws.elb.ElbPreAuthenticatedGrantedAuthoritiesUserDetailsService;
import io.dialob.security.aws.elb.PreAuthenticatedCurrentUserProvider;
import io.dialob.security.key.ServletRequestApiKeyExtractor;
import io.dialob.security.spring.ApiKeyCurrentUserProvider;
import io.dialob.security.spring.AuthenticationStrategy;
import io.dialob.security.spring.OAuth2SpringSecurityCurrentUserProvider;
import io.dialob.security.spring.apikey.ApiKeyAuthenticationProvider;
import io.dialob.security.spring.apikey.ApiKeyAuthoritiesProvider;
import io.dialob.security.spring.apikey.ApiKeyValidator;
import io.dialob.security.spring.apikey.ClientApiKeyService;
import io.dialob.security.spring.apikey.FixedClientApiKeyService;
import io.dialob.security.spring.apikey.HmacSHA256ApiKeyValidator;
import io.dialob.security.spring.apikey.RequestHeaderApiKeyExtractor;
import io.dialob.security.user.CurrentUserProvider;
import io.dialob.security.user.DelegateCurrentUserProvider;
import io.dialob.settings.DialobSettings;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.lang.NonNull;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;

@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
@ConditionalOnProperty(name = {"dialob.security.enabled"}, havingValue = "true")
@Import({ApiServiceSecurityConfigurer.class})
/* loaded from: input_file:BOOT-INF/classes/io/dialob/boot/security/SecurityConfiguration.class */
public class SecurityConfiguration {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SecurityConfiguration.class);

    @Configuration(proxyBeanMethods = false)
    @ConditionalOnProperty(name = {"dialob.security.enabled"}, havingValue = "true")
    @Import({QuestionnaireSecurityConfigurer.class, AdminSecurityConfigurer.class, WebApiSecurityConfigurer.class, ComposerSecurityConfigurer.class, ReviewSecurityConfigurer.class})
    /* loaded from: input_file:BOOT-INF/classes/io/dialob/boot/security/SecurityConfiguration$DialobSecurityConfigurerConfiguration.class */
    public static class DialobSecurityConfigurerConfiguration {
        @Bean
        public ActuatorEndpointSecurityConfigurer actuatorEndpointSecurityConfigurer() {
            return new ActuatorEndpointSecurityConfigurer();
        }

        @ConditionalOnProperty(name = {"dialob.security.authenticationMethod"}, havingValue = "OAUTH2", matchIfMissing = true)
        @Bean
        public AuthenticationStrategy authenticationStrategyOauth2(GrantedAuthoritiesMapper grantedAuthoritiesMapper, OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> oAuth2AccessTokenResponseClient) {
            return new OAuth2AuthenticationStrategy(grantedAuthoritiesMapper, oAuth2AccessTokenResponseClient);
        }

        @ConditionalOnProperty(name = {"dialob.security.authenticationMethod"}, havingValue = "AWSELB")
        @Bean
        public AuthenticationStrategy authenticationStrategyElb(DialobSettings dialobSettings, GrantedAuthoritiesMapper grantedAuthoritiesMapper, JWTProcessor jWTProcessor, AuthenticationManager authenticationManager) {
            ElbAuthenticationStrategy elbAuthenticationStrategy = new ElbAuthenticationStrategy(grantedAuthoritiesMapper, jWTProcessor, authenticationManager);
            Optional<String> principalRequestHeader = dialobSettings.getAws().getElb().getPrincipalRequestHeader();
            Objects.requireNonNull(elbAuthenticationStrategy);
            principalRequestHeader.ifPresent(elbAuthenticationStrategy::setPrincipalRequestHeader);
            Optional<String> credentialsRequestHeader = dialobSettings.getAws().getElb().getCredentialsRequestHeader();
            Objects.requireNonNull(elbAuthenticationStrategy);
            credentialsRequestHeader.ifPresent(elbAuthenticationStrategy::setCredentialsRequestHeader);
            return elbAuthenticationStrategy;
        }

        @Bean
        public AuthenticationProvider preAuthenticatedAuthenticationProvider() {
            PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider = new PreAuthenticatedAuthenticationProvider();
            preAuthenticatedAuthenticationProvider.setThrowExceptionWhenTokenRejected(true);
            preAuthenticatedAuthenticationProvider.setPreAuthenticatedUserDetailsService(new ElbPreAuthenticatedGrantedAuthoritiesUserDetailsService());
            return preAuthenticatedAuthenticationProvider;
        }

        @ConditionalOnProperty(name = {"dialob.security.authenticationMethod"}, havingValue = "OAUTH2", matchIfMissing = true)
        @Bean
        public CurrentUserProvider currentUserProviderO2() {
            return new DelegateCurrentUserProvider(new OAuth2SpringSecurityCurrentUserProvider(), new ApiKeyCurrentUserProvider());
        }

        @ConditionalOnProperty(name = {"dialob.security.authenticationMethod"}, havingValue = "AWSELB")
        @Bean
        public CurrentUserProvider currentUserProviderELB() {
            return new DelegateCurrentUserProvider(new PreAuthenticatedCurrentUserProvider(), new ApiKeyCurrentUserProvider());
        }
    }

    @Bean
    public ServletRequestApiKeyExtractor requestParameterServletApiKeyExtractor() {
        return new RequestHeaderApiKeyExtractor();
    }

    @Bean
    public ApiKeyValidator apiKeyValidator(DialobSettings dialobSettings) {
        return new HmacSHA256ApiKeyValidator(dialobSettings.getApi().getApiKeySalt().getBytes());
    }

    @Bean
    public ClientApiKeyService clientApiKeyService(DialobSettings dialobSettings) {
        List<DialobSettings.ApiSettings.ApiKey> apiKeys = dialobSettings.getApi().getApiKeys();
        LOGGER.info("{} api keys found.", Integer.valueOf(apiKeys.size()));
        FixedClientApiKeyService.FixedClientApiKeyServiceBuilder builder = FixedClientApiKeyService.builder();
        apiKeys.forEach(apiKey -> {
            builder.addKey(apiKey.getClientId(), apiKey.getHash(), apiKey.getTenantId(), apiKey.getPermissions());
        });
        return builder.build();
    }

    @Bean
    AuthenticationProvider apiKeyAuthenticationProvider(@NonNull ClientApiKeyService clientApiKeyService, @NonNull ApiKeyAuthoritiesProvider apiKeyAuthoritiesProvider, @NonNull ApiKeyValidator apiKeyValidator) {
        return new ApiKeyAuthenticationProvider(clientApiKeyService, apiKeyAuthoritiesProvider, apiKeyValidator);
    }

    @Bean
    public AuthenticationManager authenticationManager(List<AuthenticationProvider> list) {
        return list.isEmpty() ? authentication -> {
            return authentication;
        } : new ProviderManager(list);
    }
}
