package ai.yda.framework.channel.rest.spring.streaming.security;

import ai.yda.framework.channel.rest.spring.streaming.RestSpringStreamingProperties;
import ai.yda.framework.channel.rest.spring.streaming.session.SessionHandlerFilter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
import org.springframework.web.cors.CorsConfiguration;

@Configuration
@EnableWebFluxSecurity
/* loaded from: input_file:ai/yda/framework/channel/rest/spring/streaming/security/SecurityConfiguration.class */
public class SecurityConfiguration {
    @ConditionalOnProperty(prefix = RestSpringStreamingProperties.CONFIG_PREFIX, name = {"security-token"})
    @Bean
    public SecurityWebFilterChain filterChain(ServerHttpSecurity serverHttpSecurity, RestSpringStreamingProperties restSpringStreamingProperties) {
        WebSessionServerSecurityContextRepository webSessionServerSecurityContextRepository = new WebSessionServerSecurityContextRepository();
        serverHttpSecurity.csrf((v0) -> {
            v0.disable();
        }).authorizeExchange(authorizeExchangeSpec -> {
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.pathMatchers(new String[]{restSpringStreamingProperties.getEndpointRelativePath()})).authenticated().anyExchange().permitAll();
        }).securityContextRepository(webSessionServerSecurityContextRepository).addFilterAfter(new TokenAuthenticationFilter(restSpringStreamingProperties.getSecurityToken(), webSessionServerSecurityContextRepository), SecurityWebFiltersOrder.ANONYMOUS_AUTHENTICATION);
        configureCors(serverHttpSecurity, restSpringStreamingProperties);
        configureSessionManagement(serverHttpSecurity);
        return serverHttpSecurity.build();
    }

    @ConditionalOnMissingBean
    @Bean
    public SecurityWebFilterChain defaultFilterChain(ServerHttpSecurity serverHttpSecurity, RestSpringStreamingProperties restSpringStreamingProperties) {
        serverHttpSecurity.csrf((v0) -> {
            v0.disable();
        }).authorizeExchange(authorizeExchangeSpec -> {
            authorizeExchangeSpec.anyExchange().permitAll();
        }).securityContextRepository(new WebSessionServerSecurityContextRepository());
        configureCors(serverHttpSecurity, restSpringStreamingProperties);
        configureSessionManagement(serverHttpSecurity);
        return serverHttpSecurity.build();
    }

    private void configureCors(ServerHttpSecurity serverHttpSecurity, RestSpringStreamingProperties restSpringStreamingProperties) {
        if (restSpringStreamingProperties.getCorsEnabled().booleanValue()) {
            serverHttpSecurity.cors(corsSpec -> {
                CorsConfiguration corsConfiguration = new CorsConfiguration();
                corsConfiguration.setAllowedOrigins(restSpringStreamingProperties.getAllowedOrigins());
                corsConfiguration.setAllowedMethods(restSpringStreamingProperties.getAllowedMethods());
                corsConfiguration.setAllowCredentials(true);
                corsConfiguration.addAllowedHeader("*");
                corsSpec.configurationSource(serverWebExchange -> {
                    return corsConfiguration;
                });
            });
        } else {
            serverHttpSecurity.cors((v0) -> {
                v0.disable();
            });
        }
    }

    private void configureSessionManagement(ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.addFilterAfter(new SessionHandlerFilter(), SecurityWebFiltersOrder.ANONYMOUS_AUTHENTICATION);
    }
}
