package io.antmedia;

import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
import java.util.stream.Collectors;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableWebSecurity
/* loaded from: input_file:WEB-INF/classes/io/antmedia/SecurityConfiguration.class */
class SecurityConfiguration {
    private static final String GROUPS = "groups";
    private static final String REALM_ACCESS_CLAIM = "realm_access";
    private static final String ROLES_CLAIM = "roles";
    private String realmUrl = null;
    private String appName = null;
    private String clientId = "stream-application";
    private String role = "user";

    SecurityConfiguration() {
    }

    @Bean
    public SecurityFilterChain resourceServerFilterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/**", HttpMethod.OPTIONS.name())})).permitAll().requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/rest/**")})).permitAll().requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/" + this.appName + "/**")})).hasRole(this.role).requestMatchers(new RequestMatcher[]{new AntPathRequestMatcher("/")})).permitAll().anyRequest()).authenticated();
        });
        httpSecurity.csrf((v0) -> {
            v0.disable();
        });
        httpSecurity.oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.jwt(Customizer.withDefaults());
        });
        httpSecurity.oauth2Login(Customizer.withDefaults());
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    public GrantedAuthoritiesMapper userAuthoritiesMapperForKeycloak() {
        return collection -> {
            HashSet hashSet = new HashSet();
            OidcUserAuthority oidcUserAuthority = (GrantedAuthority) collection.iterator().next();
            if (oidcUserAuthority instanceof OidcUserAuthority) {
                OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
                if (userInfo.hasClaim(REALM_ACCESS_CLAIM)) {
                    hashSet.addAll(generateAuthoritiesFromClaim((Collection) userInfo.getClaimAsMap(REALM_ACCESS_CLAIM).get(ROLES_CLAIM)));
                } else if (userInfo.hasClaim(GROUPS)) {
                    hashSet.addAll(generateAuthoritiesFromClaim((Collection) userInfo.getClaim(GROUPS)));
                }
            } else {
                Map attributes = ((OAuth2UserAuthority) oidcUserAuthority).getAttributes();
                if (attributes.containsKey(REALM_ACCESS_CLAIM)) {
                    hashSet.addAll(generateAuthoritiesFromClaim((Collection) ((Map) attributes.get(REALM_ACCESS_CLAIM)).get(ROLES_CLAIM)));
                }
            }
            return hashSet;
        };
    }

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(sessionRegistry());
    }

    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }

    Collection<GrantedAuthority> generateAuthoritiesFromClaim(Collection<String> collection) {
        return (Collection) collection.stream().map(str -> {
            return new SimpleGrantedAuthority("ROLE_" + str);
        }).collect(Collectors.toList());
    }

    @Bean
    public JwtDecoder jwtDecoder() {
        return NimbusJwtDecoder.withJwkSetUri(this.realmUrl + "/protocol/openid-connect/certs").build();
    }

    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        return new InMemoryClientRegistrationRepository(new ClientRegistration[]{keycloakClientRegistration()});
    }

    @Bean
    public OAuth2AuthorizationRequestResolver authorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository) {
        return new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, "/oauth2/authorization");
    }

    @Bean
    public OidcUserService oidcUserService() {
        return new OidcUserService();
    }

    @Bean
    public ClientRegistration keycloakClientRegistration() {
        return ClientRegistration.withRegistrationId("keycloak").clientId(this.clientId).authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).redirectUri("{baseUrl}/login/oauth2/code/{registrationId}").scope(new String[]{"openid"}).authorizationUri(this.realmUrl + "/protocol/openid-connect/auth").tokenUri(this.realmUrl + "/protocol/openid-connect/token").userInfoUri(this.realmUrl + "/protocol/openid-connect/userinfo").userNameAttributeName("preferred_username").jwkSetUri(this.realmUrl + "/protocol/openid-connect/certs").clientName("Keycloak").build();
    }

    public void setRealmUrl(String str) {
        this.realmUrl = str;
    }

    public void setAppName(String str) {
        this.appName = str;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }

    public void setRole(String str) {
        this.role = str;
    }
}
