package io.camunda.connector.runtime.saas.security;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.web.SecurityFilterChain;

@EnableWebSecurity
@Configuration
/* loaded from: input_file:io/camunda/connector/runtime/saas/security/SecurityConfiguration.class */
public class SecurityConfiguration {

    @Value("${camunda.connector.auth.audience}")
    private String audience;

    @Value("${camunda.connector.auth.issuer}")
    private String issuer;

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return webSecurity -> {
            ((WebSecurity.IgnoredRequestConfigurer) ((WebSecurity.IgnoredRequestConfigurer) ((WebSecurity.IgnoredRequestConfigurer) ((WebSecurity.IgnoredRequestConfigurer) webSecurity.ignoring().requestMatchers(HttpMethod.POST, new String[]{"/inbound/*"})).requestMatchers(HttpMethod.GET, new String[]{"/inbound/*"})).requestMatchers(HttpMethod.PUT, new String[]{"/inbound/*"})).requestMatchers(HttpMethod.DELETE, new String[]{"/inbound/*"})).requestMatchers(new String[]{"/actuator/**"});
        };
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.ignoringRequestMatchers(new String[]{"/inbound/**"});
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/inbound", "/tenants/**"})).hasAuthority("SCOPE_inbound:read");
        }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                jwtConfigurer.decoder(jwtDecoder());
            });
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    JwtDecoder jwtDecoder() {
        NimbusJwtDecoder fromOidcIssuerLocation = JwtDecoders.fromOidcIssuerLocation(this.issuer);
        fromOidcIssuerLocation.setJwtValidator(new DelegatingOAuth2TokenValidator(new OAuth2TokenValidator[]{JwtValidators.createDefaultWithIssuer(this.issuer), new AudienceValidator(this.audience)}));
        return fromOidcIssuerLocation;
    }
}
