package io.camunda.authentication.config;

import com.google.common.collect.Sets;
import io.camunda.authentication.CamundaUserDetailsService;
import io.camunda.authentication.ConditionalOnAuthenticationMethod;
import io.camunda.authentication.filters.TenantRequestAttributeFilter;
import io.camunda.authentication.handler.AuthFailureHandler;
import io.camunda.authentication.handler.CustomMethodSecurityExpressionHandler;
import io.camunda.security.configuration.MultiTenancyConfiguration;
import io.camunda.security.configuration.SecurityConfiguration;
import io.camunda.security.entity.AuthenticationMethod;
import io.camunda.service.AuthorizationServices;
import io.camunda.service.RoleServices;
import io.camunda.service.TenantServices;
import io.camunda.service.UserServices;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Arrays;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@Profile({"consolidated-auth"})
/* loaded from: input_file:io/camunda/authentication/config/WebSecurityConfig.class */
public class WebSecurityConfig {
    public static final String SESSION_COOKIE = "camunda-session";
    private static final int ORDER_WEBAPP_API_PROTECTION = 1;
    private static final int ORDER_UNPROTECTED_API = 2;
    private static final int ORDER_LOGIN_LOGOUT_HANDLING = 3;
    private static final String LOGOUT_URL = "/logout";
    private static final Logger LOG = LoggerFactory.getLogger(WebSecurityConfig.class);
    private static final Set<String> API_PATHS = Set.of("/v1/**", "/v2/**");
    private static final String LOGIN_URL = "/login";
    private static final Set<String> UNAUTHENTICATED_PATHS = Set.of((Object[]) new String[]{LOGIN_URL, "/", "/identity/**", "/operate/**", "/tasklist/**", "/v2/license", "/error", "/actuator/**", "/ready", "/health", "/startup", "/v1/external/process/**", "/new/**"});

    @ConditionalOnMissingBean({MethodSecurityExpressionHandler.class})
    @Bean
    public MethodSecurityExpressionHandler methodSecurityExpressionHandler(AuthorizationServices authorizationServices) {
        return new CustomMethodSecurityExpressionHandler(authorizationServices);
    }

    @ConditionalOnAuthenticationMethod(AuthenticationMethod.BASIC)
    @Bean
    public CamundaUserDetailsService camundaUserDetailsService(UserServices userServices, AuthorizationServices authorizationServices, RoleServices roleServices, TenantServices tenantServices) {
        return new CamundaUserDetailsService(userServices, authorizationServices, roleServices, tenantServices);
    }

    @ConditionalOnAuthenticationMethod(AuthenticationMethod.OIDC)
    @Bean
    public ClientRegistrationRepository clientRegistrationRepository(SecurityConfiguration securityConfiguration) {
        return new InMemoryClientRegistrationRepository(new ClientRegistration[]{OidcClientRegistration.create(securityConfiguration.getAuthentication().getOidc())});
    }

    @ConditionalOnAuthenticationMethod(AuthenticationMethod.OIDC)
    @Bean
    @Order(ORDER_WEBAPP_API_PROTECTION)
    public SecurityFilterChain oidcHttpSecurity(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler, ClientRegistrationRepository clientRegistrationRepository) throws Exception {
        return (SecurityFilterChain) baseHttpSecurity(httpSecurity, authFailureHandler, UNAUTHENTICATED_PATHS).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                jwtConfigurer.jwkSetUri(clientRegistrationRepository.findByRegistrationId(OidcClientRegistration.REGISTRATION_ID).getProviderDetails().getJwkSetUri());
            });
        }).oauth2Login(oAuth2LoginConfigurer -> {
        }).oidcLogout(oidcLogoutConfigurer -> {
        }).logout(logoutConfigurer -> {
            logoutConfigurer.logoutUrl(LOGOUT_URL).logoutSuccessHandler(this::genericSuccessHandler).deleteCookies(new String[0]);
        }).build();
    }

    private void genericSuccessHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        httpServletResponse.setStatus(HttpStatus.NO_CONTENT.value());
    }

    @ConditionalOnAuthenticationMethod(AuthenticationMethod.BASIC)
    @Bean
    @Order(ORDER_WEBAPP_API_PROTECTION)
    public SecurityFilterChain httpBasicAuthSecurityFilterChain(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler, SecurityConfiguration securityConfiguration) throws Exception {
        LOG.info("HTTP Basic authentication is enabled");
        return (SecurityFilterChain) baseHttpSecurity(withSecurityMatcher(httpSecurity, httpServletRequest -> {
            return isBasicAuthRequest(httpServletRequest) || (securityConfiguration.isApiProtected() && isApiRequest(httpServletRequest) && !isFrontendRequest(httpServletRequest));
        }), authFailureHandler, UNAUTHENTICATED_PATHS).httpBasic(Customizer.withDefaults()).build();
    }

    @Bean
    @Order(ORDER_UNPROTECTED_API)
    public SecurityFilterChain unprotectedApiAccessSecurityFilterChain(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler, SecurityConfiguration securityConfiguration) throws Exception {
        if (securityConfiguration.isApiProtected()) {
            return null;
        }
        LOG.warn("The API is accessible without authentication. Please disable {} for any deployment.", AuthenticationProperties.API_UNPROTECTED);
        return (SecurityFilterChain) baseHttpSecurity(withSecurityMatcher(httpSecurity, httpServletRequest -> {
            return isApiRequest(httpServletRequest) && !hasSessionCookie(httpServletRequest);
        }), authFailureHandler, Sets.union(UNAUTHENTICATED_PATHS, API_PATHS)).build();
    }

    @ConditionalOnAuthenticationMethod(AuthenticationMethod.BASIC)
    @Bean
    @Order(ORDER_LOGIN_LOGOUT_HANDLING)
    public SecurityFilterChain loginAuthSecurityFilterChain(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler) throws Exception {
        LOG.info("Configuring login auth");
        return (SecurityFilterChain) baseHttpSecurity(httpSecurity, authFailureHandler, UNAUTHENTICATED_PATHS).formLogin(formLoginConfigurer -> {
            formLoginConfigurer.loginPage(LOGIN_URL).loginProcessingUrl(LOGIN_URL).failureHandler(authFailureHandler).successHandler(this::genericSuccessHandler);
        }).logout(logoutConfigurer -> {
            logoutConfigurer.logoutUrl(LOGOUT_URL).logoutSuccessHandler(this::genericSuccessHandler).deleteCookies(new String[]{SESSION_COOKIE});
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(authFailureHandler).accessDeniedHandler(authFailureHandler);
        }).build();
    }

    @Bean
    public FilterRegistrationBean<TenantRequestAttributeFilter> tenantRequestAttributeFilterRegistration(MultiTenancyConfiguration multiTenancyConfiguration) {
        return new FilterRegistrationBean<>(new TenantRequestAttributeFilter(multiTenancyConfiguration), new ServletRegistrationBean[0]);
    }

    private static boolean isBasicAuthRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        return header != null && header.startsWith("Basic ");
    }

    private static boolean isFrontendRequest(HttpServletRequest httpServletRequest) {
        return hasSessionCookie(httpServletRequest) || httpServletRequest.getHeader("Referer") != null;
    }

    private static boolean hasSessionCookie(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getCookies() == null) {
            return false;
        }
        return Arrays.stream(httpServletRequest.getCookies()).anyMatch(cookie -> {
            return cookie.getName().equals(SESSION_COOKIE);
        });
    }

    private static boolean isApiRequest(HttpServletRequest httpServletRequest) {
        return API_PATHS.stream().anyMatch(str -> {
            return AntPathRequestMatcher.antMatcher(str).matches(httpServletRequest);
        });
    }

    private static HttpSecurity withSecurityMatcher(HttpSecurity httpSecurity, RequestMatcher requestMatcher) {
        return httpSecurity.securityMatchers(requestMatcherConfigurer -> {
            requestMatcherConfigurer.requestMatchers(new RequestMatcher[]{requestMatcher});
        });
    }

    private HttpSecurity baseHttpSecurity(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler, Set<String> set) throws Exception {
        return httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers((String[]) set.toArray(i -> {
                return new String[i];
            }))).permitAll().anyRequest()).authenticated();
        }).headers(headersConfigurer -> {
            headersConfigurer.httpStrictTransportSecurity(hstsConfig -> {
                hstsConfig.includeSubDomains(true).maxAgeInSeconds(63072000L).preload(true);
            });
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.accessDeniedHandler(authFailureHandler);
        }).csrf((v0) -> {
            v0.disable();
        }).cors((v0) -> {
            v0.disable();
        }).formLogin((v0) -> {
            v0.disable();
        }).anonymous((v0) -> {
            v0.disable();
        });
    }
}
