package io.camunda.authentication.config;

import io.camunda.authentication.CamundaUserDetailsService;
import io.camunda.authentication.ConditionalOnAuthenticationMethod;
import io.camunda.authentication.ConditionalOnUnprotectedApi;
import io.camunda.authentication.filters.TenantRequestAttributeFilter;
import io.camunda.authentication.filters.WebApplicationAuthorizationCheckFilter;
import io.camunda.authentication.handler.AuthFailureHandler;
import io.camunda.authentication.handler.CustomMethodSecurityExpressionHandler;
import io.camunda.security.configuration.MultiTenancyConfiguration;
import io.camunda.security.configuration.SecurityConfiguration;
import io.camunda.security.entity.AuthenticationMethod;
import io.camunda.service.AuthorizationServices;
import io.camunda.service.RoleServices;
import io.camunda.service.TenantServices;
import io.camunda.service.UserServices;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.intercept.AuthorizationFilter;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@Profile({"consolidated-auth"})
/* loaded from: input_file:io/camunda/authentication/config/WebSecurityConfig.class */
public class WebSecurityConfig {
    public static final String SESSION_COOKIE = "camunda-session";
    private static final int ORDER_UNPROTECTED = 0;
    private static final int ORDER_WEBAPP_API = 1;
    private static final int ORDER_UNHANDLED = 2;
    private static final String LOGIN_URL = "/login";
    private static final Logger LOG = LoggerFactory.getLogger(WebSecurityConfig.class);
    private static final Set<String> API_PATHS = Set.of("/api/**", "/v1/**", "/v2/**");
    private static final Set<String> UNPROTECTED_API_PATHS = Set.of("/v2/license", "/v1/external/process/**");
    private static final String LOGOUT_URL = "/logout";
    private static final Set<String> WEBAPP_PATHS = Set.of("/login/**", LOGOUT_URL, "/identity/**", "/operate/**", "/tasklist/**", "/", "/sso-callback/**", "/oauth2/authorization/**");
    private static final Set<String> UNPROTECTED_PATHS = Set.of("/error", "/actuator/**", "/ready", "/health", "/startup", "/swagger-ui/**", "/v3/api-docs/**", "/camunda-api-docs/**", "/new/**", "/favicon.ico");

    @Configuration
    @ConditionalOnAuthenticationMethod(AuthenticationMethod.BASIC)
    /* loaded from: input_file:io/camunda/authentication/config/WebSecurityConfig$BasicConfiguration.class */
    public static class BasicConfiguration {
        @Bean
        public CamundaUserDetailsService camundaUserDetailsService(UserServices userServices, AuthorizationServices authorizationServices, RoleServices roleServices, TenantServices tenantServices) {
            return new CamundaUserDetailsService(userServices, authorizationServices, roleServices, tenantServices);
        }

        @Bean
        @Order(WebSecurityConfig.ORDER_WEBAPP_API)
        public SecurityFilterChain httpBasicApiAuthSecurityFilterChain(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler) throws Exception {
            WebSecurityConfig.LOG.info("The API is protected by HTTP Basic authentication.");
            return (SecurityFilterChain) httpSecurity.securityMatcher((String[]) WebSecurityConfig.API_PATHS.toArray(i -> {
                return new String[i];
            })).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers((String[]) WebSecurityConfig.UNPROTECTED_API_PATHS.toArray(i2 -> {
                    return new String[i2];
                }))).permitAll().anyRequest()).authenticated();
            }).headers(WebSecurityConfig::setupStrictTransportSecurity).csrf((v0) -> {
                v0.disable();
            }).cors((v0) -> {
                v0.disable();
            }).formLogin((v0) -> {
                v0.disable();
            }).anonymous((v0) -> {
                v0.disable();
            }).httpBasic(Customizer.withDefaults()).exceptionHandling(exceptionHandlingConfigurer -> {
                exceptionHandlingConfigurer.authenticationEntryPoint(authFailureHandler).accessDeniedHandler(authFailureHandler);
            }).sessionManagement(sessionManagementConfigurer -> {
                sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.NEVER);
            }).build();
        }

        @Bean
        @Order(WebSecurityConfig.ORDER_WEBAPP_API)
        public SecurityFilterChain httpBasicWebappAuthSecurityFilterChain(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler, WebApplicationAuthorizationCheckFilter webApplicationAuthorizationCheckFilter) throws Exception {
            WebSecurityConfig.LOG.info("Web Applications Login/Logout is setup.");
            return (SecurityFilterChain) httpSecurity.securityMatcher((String[]) WebSecurityConfig.WEBAPP_PATHS.toArray(i -> {
                return new String[i];
            })).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
            }).csrf((v0) -> {
                v0.disable();
            }).cors((v0) -> {
                v0.disable();
            }).anonymous((v0) -> {
                v0.disable();
            }).httpBasic(Customizer.withDefaults()).formLogin(formLoginConfigurer -> {
                formLoginConfigurer.loginPage(WebSecurityConfig.LOGIN_URL).loginProcessingUrl(WebSecurityConfig.LOGIN_URL).failureHandler(authFailureHandler).successHandler(WebSecurityConfig::noContentSuccessHandler);
            }).logout(logoutConfigurer -> {
                logoutConfigurer.logoutUrl(WebSecurityConfig.LOGOUT_URL).logoutSuccessHandler(WebSecurityConfig::noContentSuccessHandler).deleteCookies(new String[]{WebSecurityConfig.SESSION_COOKIE});
            }).exceptionHandling(exceptionHandlingConfigurer -> {
                exceptionHandlingConfigurer.authenticationEntryPoint(authFailureHandler).accessDeniedHandler(authFailureHandler);
            }).addFilterAfter(webApplicationAuthorizationCheckFilter, AuthorizationFilter.class).build();
        }
    }

    @Configuration
    @ConditionalOnAuthenticationMethod(AuthenticationMethod.OIDC)
    /* loaded from: input_file:io/camunda/authentication/config/WebSecurityConfig$OidcConfiguration.class */
    public static class OidcConfiguration {
        @Bean
        public ClientRegistrationRepository clientRegistrationRepository(SecurityConfiguration securityConfiguration) {
            return new InMemoryClientRegistrationRepository(new ClientRegistration[]{OidcClientRegistration.create(securityConfiguration.getAuthentication().getOidc())});
        }

        @Bean
        public JwtDecoder jwtDecoder(SecurityConfiguration securityConfiguration, ClientRegistrationRepository clientRegistrationRepository) {
            NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(clientRegistrationRepository.findByRegistrationId(OidcClientRegistration.REGISTRATION_ID).getProviderDetails().getJwkSetUri()).build();
            Set audiences = securityConfiguration.getAuthentication().getOidc().getAudiences();
            if (audiences != null) {
                build.setJwtValidator(JwtValidators.createDefaultWithValidators(new OAuth2TokenValidator[]{new AudienceValidator(audiences)}));
            }
            return build;
        }

        @Bean
        @Order(WebSecurityConfig.ORDER_WEBAPP_API)
        public SecurityFilterChain oidcApiSecurity(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler, JwtDecoder jwtDecoder) throws Exception {
            return (SecurityFilterChain) httpSecurity.securityMatcher((String[]) WebSecurityConfig.API_PATHS.toArray(new String[WebSecurityConfig.ORDER_UNPROTECTED])).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers((String[]) WebSecurityConfig.UNPROTECTED_API_PATHS.toArray(i -> {
                    return new String[i];
                }))).permitAll().anyRequest()).authenticated();
            }).headers(WebSecurityConfig::setupStrictTransportSecurity).exceptionHandling(exceptionHandlingConfigurer -> {
                exceptionHandlingConfigurer.accessDeniedHandler(authFailureHandler);
            }).csrf((v0) -> {
                v0.disable();
            }).cors((v0) -> {
                v0.disable();
            }).formLogin((v0) -> {
                v0.disable();
            }).anonymous((v0) -> {
                v0.disable();
            }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
                oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                    jwtConfigurer.decoder(jwtDecoder);
                });
            }).oauth2Login((v0) -> {
                v0.disable();
            }).oidcLogout((v0) -> {
                v0.disable();
            }).logout((v0) -> {
                v0.disable();
            }).build();
        }

        @Bean
        @Order(WebSecurityConfig.ORDER_WEBAPP_API)
        public SecurityFilterChain oidcWebappSecurity(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler, ClientRegistrationRepository clientRegistrationRepository, WebApplicationAuthorizationCheckFilter webApplicationAuthorizationCheckFilter, JwtDecoder jwtDecoder) throws Exception {
            return (SecurityFilterChain) httpSecurity.securityMatcher((String[]) WebSecurityConfig.WEBAPP_PATHS.toArray(new String[WebSecurityConfig.ORDER_UNPROTECTED])).headers(WebSecurityConfig::setupStrictTransportSecurity).exceptionHandling(exceptionHandlingConfigurer -> {
                exceptionHandlingConfigurer.accessDeniedHandler(authFailureHandler);
            }).csrf((v0) -> {
                v0.disable();
            }).cors((v0) -> {
                v0.disable();
            }).formLogin((v0) -> {
                v0.disable();
            }).anonymous((v0) -> {
                v0.disable();
            }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
                oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                    jwtConfigurer.decoder(jwtDecoder);
                });
            }).oauth2Login(oAuth2LoginConfigurer -> {
                oAuth2LoginConfigurer.clientRegistrationRepository(clientRegistrationRepository).redirectionEndpoint(redirectionEndpointConfig -> {
                    redirectionEndpointConfig.baseUri("/sso-callback");
                });
            }).oidcLogout(oidcLogoutConfigurer -> {
            }).logout(logoutConfigurer -> {
                logoutConfigurer.logoutUrl(WebSecurityConfig.LOGOUT_URL).logoutSuccessHandler(WebSecurityConfig::noContentSuccessHandler).deleteCookies(new String[WebSecurityConfig.ORDER_UNPROTECTED]);
            }).addFilterAfter(webApplicationAuthorizationCheckFilter, AuthorizationFilter.class).build();
        }
    }

    @ConditionalOnMissingBean({MethodSecurityExpressionHandler.class})
    @Bean
    public MethodSecurityExpressionHandler methodSecurityExpressionHandler(AuthorizationServices authorizationServices) {
        return new CustomMethodSecurityExpressionHandler(authorizationServices);
    }

    @Bean
    @Order(ORDER_UNPROTECTED)
    public SecurityFilterChain unprotectedPathsSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        return (SecurityFilterChain) httpSecurity.securityMatcher((String[]) UNPROTECTED_PATHS.toArray(i -> {
            return new String[i];
        })).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
        }).headers(WebSecurityConfig::setupStrictTransportSecurity).csrf((v0) -> {
            v0.disable();
        }).cors((v0) -> {
            v0.disable();
        }).formLogin((v0) -> {
            v0.disable();
        }).anonymous((v0) -> {
            v0.disable();
        }).build();
    }

    @Bean
    @ConditionalOnUnprotectedApi
    @Order(ORDER_UNPROTECTED)
    public SecurityFilterChain unprotectedApiAuthSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        LOG.warn("The API is unprotected. Please disable {} for any deployment.", AuthenticationProperties.API_UNPROTECTED);
        return (SecurityFilterChain) httpSecurity.securityMatcher((String[]) API_PATHS.toArray(i -> {
            return new String[i];
        })).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
        }).headers(WebSecurityConfig::setupStrictTransportSecurity).csrf((v0) -> {
            v0.disable();
        }).cors((v0) -> {
            v0.disable();
        }).formLogin((v0) -> {
            v0.disable();
        }).anonymous((v0) -> {
            v0.disable();
        }).build();
    }

    @Bean
    @Order(ORDER_UNHANDLED)
    public SecurityFilterChain protectedUnhandledPathsSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        return (SecurityFilterChain) httpSecurity.securityMatcher(new String[]{"/**"}).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).denyAll();
        }).build();
    }

    @Bean
    public FilterRegistrationBean<TenantRequestAttributeFilter> tenantRequestAttributeFilterRegistration(MultiTenancyConfiguration multiTenancyConfiguration) {
        return new FilterRegistrationBean<>(new TenantRequestAttributeFilter(multiTenancyConfiguration), new ServletRegistrationBean[ORDER_UNPROTECTED]);
    }

    @Bean
    public WebApplicationAuthorizationCheckFilter applicationAuthorizationFilterFilter(SecurityConfiguration securityConfiguration) {
        return new WebApplicationAuthorizationCheckFilter(securityConfiguration);
    }

    private static void noContentSuccessHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        httpServletResponse.setStatus(HttpStatus.NO_CONTENT.value());
    }

    private static void setupStrictTransportSecurity(HeadersConfigurer<HttpSecurity> headersConfigurer) {
        headersConfigurer.httpStrictTransportSecurity(hstsConfig -> {
            hstsConfig.includeSubDomains(true).maxAgeInSeconds(63072000L).preload(true);
        });
    }
}
