package io.camunda.connector.runtime.saas.security;

import java.util.List;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@EnableWebSecurity
@Configuration
/* loaded from: input_file:io/camunda/connector/runtime/saas/security/InboundInstancesSecurityConfiguration.class */
public class InboundInstancesSecurityConfiguration {

    @Value("${camunda.connector.auth.console.audience:}")
    private String consoleAudience;

    @Value("${camunda.connector.auth.allowed.roles:owner,admin}")
    private List<String> allowedRoles;

    @Value("${camunda.connector.auth.issuer}")
    private String issuer;

    @Value("${camunda.endpoints.cors.allowed.origins:*}")
    private String[] allowedOrigins;

    @Value("${camunda.endpoints.cors.allow.credentials:false}")
    private boolean allowCredentials;

    @Value("${camunda.endpoints.cors.mappings:/**}")
    private List<String> mappings;

    @Value("${camunda.connector.cloud.organization.id:}")
    private String organizationId;

    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurer() { // from class: io.camunda.connector.runtime.saas.security.InboundInstancesSecurityConfiguration.1
            public void addCorsMappings(CorsRegistry corsRegistry) {
                InboundInstancesSecurityConfiguration.this.mappings.forEach(str -> {
                    corsRegistry.addMapping(str).allowCredentials(InboundInstancesSecurityConfiguration.this.allowCredentials).allowedOrigins(InboundInstancesSecurityConfiguration.this.allowedOrigins).allowedMethods(new String[]{"*"});
                });
            }
        };
    }

    @Bean
    @Order(2)
    public SecurityFilterChain inboundInstancesFilterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.cors(Customizer.withDefaults()).csrf(csrfConfigurer -> {
            csrfConfigurer.ignoringRequestMatchers(new String[]{"/inbound-instances/**"});
        }).securityMatchers(requestMatcherConfigurer -> {
            requestMatcherConfigurer.requestMatchers(new String[]{"/inbound-instances/**"});
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/inbound-instances/**"})).authenticated();
        }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                jwtConfigurer.decoder(inboundInstancesJwtDecoder());
            });
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    JwtDecoder inboundInstancesJwtDecoder() {
        NimbusJwtDecoder fromOidcIssuerLocation = JwtDecoders.fromOidcIssuerLocation(this.issuer);
        fromOidcIssuerLocation.setJwtValidator(new DelegatingOAuth2TokenValidator(new OAuth2TokenValidator[]{new OrganizationIdAndRolesValidator(this.organizationId, this.allowedRoles), JwtValidators.createDefaultWithIssuer(this.issuer), new AudienceValidator(this.consoleAudience)}));
        return fromOidcIssuerLocation;
    }
}
