package io.camunda.authentication.config;

import io.camunda.authentication.CamundaUserDetailsService;
import io.camunda.authentication.filters.TenantRequestAttributeFilter;
import io.camunda.authentication.handler.AuthFailureHandler;
import io.camunda.authentication.handler.CustomMethodSecurityExpressionHandler;
import io.camunda.security.configuration.MultiTenancyConfiguration;
import io.camunda.service.AuthorizationServices;
import io.camunda.service.RoleServices;
import io.camunda.service.TenantServices;
import io.camunda.service.UserServices;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.context.annotation.Profile;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@Profile({"auth-basic|auth-oidc"})
/* loaded from: input_file:io/camunda/authentication/config/WebSecurityConfig.class */
public class WebSecurityConfig {
    public static final String[] UNAUTHENTICATED_PATHS = {"/login", "/logout", "/error", "/actuator/**", "/ready", "/health", "/startup", "/v1/external/process/**", "/new/**"};
    private static final Logger LOG = LoggerFactory.getLogger(WebSecurityConfig.class);

    @ConditionalOnMissingBean({MethodSecurityExpressionHandler.class})
    @Bean
    public MethodSecurityExpressionHandler methodSecurityExpressionHandler(AuthorizationServices authorizationServices) {
        return new CustomMethodSecurityExpressionHandler(authorizationServices);
    }

    @Profile({"auth-basic"})
    @Bean
    public CamundaUserDetailsService camundaUserDetailsService(UserServices userServices, AuthorizationServices authorizationServices, RoleServices roleServices, TenantServices tenantServices) {
        return new CamundaUserDetailsService(userServices, authorizationServices, roleServices, tenantServices);
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) {
        try {
            return (SecurityFilterChain) httpSecurity.build();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Profile({"auth-oidc"})
    @Bean
    @Primary
    public HttpSecurity oidcHttpSecurity(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler, ClientRegistrationRepository clientRegistrationRepository) throws Exception {
        return baseHttpSecurity(httpSecurity, authFailureHandler).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                jwtConfigurer.jwkSetUri(clientRegistrationRepository.findByRegistrationId("oidcclient").getProviderDetails().getJwkSetUri());
            });
        }).oauth2Login(oAuth2LoginConfigurer -> {
        }).oidcLogout(oidcLogoutConfigurer -> {
        }).logout(logoutConfigurer -> {
            logoutConfigurer.logoutSuccessUrl("/");
        });
    }

    @Profile({"auth-basic"})
    @Bean
    @Primary
    public HttpSecurity localHttpSecurity(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler) throws Exception {
        LOG.info("Configuring basic auth login");
        return baseHttpSecurity(httpSecurity, authFailureHandler).httpBasic(Customizer.withDefaults()).logout(logoutConfigurer -> {
            logoutConfigurer.logoutSuccessUrl("/");
        });
    }

    private HttpSecurity baseHttpSecurity(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler) {
        try {
            return httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(UNAUTHENTICATED_PATHS)).permitAll().anyRequest()).authenticated();
            }).headers(headersConfigurer -> {
                headersConfigurer.httpStrictTransportSecurity(hstsConfig -> {
                    hstsConfig.includeSubDomains(true).maxAgeInSeconds(63072000L).preload(true);
                });
            }).exceptionHandling(exceptionHandlingConfigurer -> {
                exceptionHandlingConfigurer.accessDeniedHandler(authFailureHandler);
            }).csrf((v0) -> {
                v0.disable();
            }).cors((v0) -> {
                v0.disable();
            }).formLogin((v0) -> {
                v0.disable();
            }).anonymous((v0) -> {
                v0.disable();
            });
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Bean
    public FilterRegistrationBean<TenantRequestAttributeFilter> tenantRequestAttributeFilterRegistration(MultiTenancyConfiguration multiTenancyConfiguration) {
        return new FilterRegistrationBean<>(new TenantRequestAttributeFilter(multiTenancyConfiguration), new ServletRegistrationBean[0]);
    }
}
