package au.csiro.pathling.security;

import au.csiro.pathling.config.ServerConfiguration;
import au.csiro.pathling.utilities.Preconditions;
import jakarta.annotation.Nonnull;
import jakarta.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@Profile({"server"})
@Configuration
@EnableWebSecurity
/* loaded from: input_file:au/csiro/pathling/security/SecurityConfiguration.class */
public class SecurityConfiguration {
    private static final Logger log = LoggerFactory.getLogger(SecurityConfiguration.class);

    @Nonnull
    private final ServerConfiguration configuration;

    @Nullable
    private final JwtAuthenticationConverter authenticationConverter;

    @Nullable
    private final JwtDecoder jwtDecoder;

    @Value("${pathling.auth.enabled}")
    private boolean authEnabled;

    public SecurityConfiguration(@Nonnull ServerConfiguration serverConfiguration, @Nullable JwtAuthenticationConverter jwtAuthenticationConverter, @Nullable JwtDecoder jwtDecoder) {
        this.configuration = serverConfiguration;
        this.authenticationConverter = jwtAuthenticationConverter;
        this.jwtDecoder = jwtDecoder;
    }

    @Bean
    public SecurityFilterChain securityFilterChain(@Nonnull HttpSecurity httpSecurity) throws Exception {
        if (this.authEnabled) {
            Preconditions.check(this.authenticationConverter != null, "Authentication converter must be provided when authentication is enabled", new Object[0]);
            Preconditions.check(this.jwtDecoder != null, "JWT decoder must be provided when authentication is enabled", new Object[0]);
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(HttpMethod.GET, new String[]{"/fhir/metadata"})).permitAll().requestMatchers(HttpMethod.GET, new String[]{"/fhir/OperationDefinition/**"})).permitAll().requestMatchers(HttpMethod.GET, new String[]{"/fhir/.well-known/**"})).permitAll().anyRequest()).authenticated();
            }).cors(corsConfigurer -> {
                corsConfigurer.configurationSource(corsConfigurationSource());
            }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
                oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                    jwtConfigurer.jwtAuthenticationConverter(this.authenticationConverter).decoder(this.jwtDecoder);
                });
            });
        } else {
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry2.anyRequest()).permitAll();
            }).csrf((v0) -> {
                v0.disable();
            });
        }
        return (SecurityFilterChain) httpSecurity.build();
    }

    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedOrigins(this.configuration.getCors().getAllowedOrigins());
        corsConfiguration.setAllowedOriginPatterns(this.configuration.getCors().getAllowedOriginPatterns());
        corsConfiguration.setAllowedMethods(this.configuration.getCors().getAllowedMethods());
        corsConfiguration.setAllowedHeaders(this.configuration.getCors().getAllowedHeaders());
        corsConfiguration.setExposedHeaders(this.configuration.getCors().getExposedHeaders());
        corsConfiguration.setMaxAge(this.configuration.getCors().getMaxAge());
        corsConfiguration.setAllowCredentials(Boolean.valueOf(this.configuration.getAuth().isEnabled()));
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        return urlBasedCorsConfigurationSource;
    }
}
