package net.n2oapp.security.admin.auth.server;

import java.io.IOException;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.n2oapp.security.admin.auth.server.esia.EsiaAccessTokenProvider;
import net.n2oapp.security.admin.auth.server.esia.EsiaUserInfoTokenServices;
import net.n2oapp.security.admin.auth.server.esia.Pkcs7Util;
import net.n2oapp.security.admin.auth.server.exception.AuthenticationExceptionHandler;
import net.n2oapp.security.admin.auth.server.logout.OAuth2ProviderRedirectLogoutSuccessHandler;
import net.n2oapp.security.admin.impl.repository.UserRepository;
import net.n2oapp.security.admin.impl.service.UserDetailsServiceImpl;
import net.n2oapp.security.auth.common.AuthoritiesPrincipalExtractor;
import net.n2oapp.security.auth.common.LogoutHandler;
import net.n2oapp.security.auth.common.User;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
import org.springframework.boot.autoconfigure.security.oauth2.resource.UserInfoTokenServices;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.context.properties.NestedConfigurationProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2RestOperations;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter;
import org.springframework.security.oauth2.client.token.AccessTokenProviderChain;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.web.filter.CompositeFilter;
import ru.i_novus.ms.audit.client.UserAccessor;

@Configuration
@EnableOAuth2Client
@EnableWebSecurity
@ComponentScan
@Order(200)
/* loaded from: input_file:net/n2oapp/security/admin/auth/server/AuthGatewayConfiguration.class */
public class AuthGatewayConfiguration extends WebSecurityConfigurerAdapter {

    @Value("${access.auth.login-entry-point:/}")
    String loginEntryPoint;

    @Autowired
    OAuth2ClientContext oauth2ClientContext;

    @Autowired
    UserDetailsServiceImpl gatewayUserDetailsService;

    @Autowired
    @Qualifier("esiaUserDetailsService")
    EsiaUserDetailsService esiaUserDetailsService;

    @Autowired
    List<LogoutHandler> logoutHandlers;

    @Autowired
    private Pkcs7Util pkcs7Util;

    @Autowired
    private UserRepository userRepository;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/n2oapp/security/admin/auth/server/AuthGatewayConfiguration$ClientResources.class */
    public static class ClientResources {

        @NestedConfigurationProperty
        private AuthorizationCodeResourceDetails client = new AuthorizationCodeResourceDetails();

        @NestedConfigurationProperty
        private ResourceServerProperties resource = new ResourceServerProperties();
        private String logoutUri;

        ClientResources() {
        }

        public AuthorizationCodeResourceDetails getClient() {
            return this.client;
        }

        public ResourceServerProperties getResource() {
            return this.resource;
        }

        public String getLogoutUri() {
            return this.logoutUri;
        }

        public void setLogoutUri(String str) {
            this.logoutUri = str;
        }
    }

    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().mvcMatchers(new String[]{"/css/**", "/icons/**", "/fonts/**", "/public/**", "/static/**", "/webjars/**"});
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{"/", "/login**", "/api/**", "/oauth/certs", "/css/**", "/icons/**", "/fonts/**", "/public/**", "/static/**", "/webjars/**"})).permitAll().anyRequest()).authenticated().and().exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint(this.loginEntryPoint)).and().logout().logoutSuccessUrl(this.loginEntryPoint).logoutSuccessHandler(new OAuth2ProviderRedirectLogoutSuccessHandler(this.logoutHandlers, keycloak().getLogoutUri(), esia().getLogoutUri())).permitAll().and().csrf().disable().addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
    }

    @Bean
    @Primary
    public UserDetailsServiceImpl gatewayUserDetailsService() {
        return new UserDetailsServiceImpl();
    }

    @Bean
    public EsiaUserDetailsService esiaUserDetailsService() {
        EsiaUserDetailsService esiaUserDetailsService = new EsiaUserDetailsService();
        esiaUserDetailsService.setSynchronizeFio(true);
        return esiaUserDetailsService;
    }

    @Bean
    public UserDetailsService refreshTokenUserDetailsService() {
        return new RefreshTokenUserDetailsService(this.userRepository, this.gatewayUserDetailsService);
    }

    @Bean
    public FilterRegistrationBean<OAuth2ClientContextFilter> oauth2ClientFilterRegistration(OAuth2ClientContextFilter oAuth2ClientContextFilter) {
        FilterRegistrationBean<OAuth2ClientContextFilter> filterRegistrationBean = new FilterRegistrationBean<>();
        filterRegistrationBean.setFilter(oAuth2ClientContextFilter);
        filterRegistrationBean.setOrder(-100);
        oAuth2ClientContextFilter.setRedirectStrategy(new DefaultRedirectStrategy() { // from class: net.n2oapp.security.admin.auth.server.AuthGatewayConfiguration.1
            public void sendRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
                super.sendRedirect(httpServletRequest, httpServletResponse, str.replace("+", "%2B"));
            }
        });
        return filterRegistrationBean;
    }

    @ConfigurationProperties("access.keycloak")
    @Bean
    public ClientResources keycloak() {
        return new ClientResources();
    }

    @ConfigurationProperties("access.esia")
    @Bean
    public ClientResources esia() {
        return new ClientResources();
    }

    protected Filter ssoFilter() {
        CompositeFilter compositeFilter = new CompositeFilter();
        ArrayList arrayList = new ArrayList();
        arrayList.add(ssoKeycloakFilter(keycloak(), "/login/keycloak"));
        arrayList.add(ssoEsiaFilter(esia(), "/login/esia"));
        compositeFilter.setFilters(arrayList);
        return compositeFilter;
    }

    private Filter ssoKeycloakFilter(ClientResources clientResources, String str) {
        GatewayOAuth2ClientAuthenticationProcessingFilter gatewayOAuth2ClientAuthenticationProcessingFilter = new GatewayOAuth2ClientAuthenticationProcessingFilter(str);
        OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(clientResources.getClient(), this.oauth2ClientContext);
        gatewayOAuth2ClientAuthenticationProcessingFilter.setRestTemplate(oAuth2RestTemplate);
        gatewayOAuth2ClientAuthenticationProcessingFilter.setAuthenticationFailureHandler(new AuthenticationExceptionHandler());
        UserInfoTokenServices userInfoTokenServices = new UserInfoTokenServices(clientResources.getResource().getUserInfoUri(), clientResources.getClient().getClientId());
        userInfoTokenServices.setRestTemplate(oAuth2RestTemplate);
        AuthoritiesPrincipalExtractor authoritiesPrincipalExtractor = new AuthoritiesPrincipalExtractor(this.gatewayUserDetailsService, "KEYCLOAK");
        userInfoTokenServices.setAuthoritiesExtractor(authoritiesPrincipalExtractor);
        userInfoTokenServices.setPrincipalExtractor(authoritiesPrincipalExtractor);
        gatewayOAuth2ClientAuthenticationProcessingFilter.setTokenServices(userInfoTokenServices);
        return gatewayOAuth2ClientAuthenticationProcessingFilter;
    }

    private Filter ssoEsiaFilter(ClientResources clientResources, String str) {
        Security.addProvider(new BouncyCastleProvider());
        GatewayOAuth2ClientAuthenticationProcessingFilter gatewayOAuth2ClientAuthenticationProcessingFilter = new GatewayOAuth2ClientAuthenticationProcessingFilter(str);
        OAuth2RestOperations oAuth2RestTemplate = new OAuth2RestTemplate(clientResources.getClient(), this.oauth2ClientContext);
        oAuth2RestTemplate.setAccessTokenProvider(new AccessTokenProviderChain(Arrays.asList(new EsiaAccessTokenProvider(this.pkcs7Util))));
        gatewayOAuth2ClientAuthenticationProcessingFilter.setRestTemplate(oAuth2RestTemplate);
        gatewayOAuth2ClientAuthenticationProcessingFilter.setAuthenticationFailureHandler(new AuthenticationExceptionHandler());
        EsiaUserInfoTokenServices esiaUserInfoTokenServices = new EsiaUserInfoTokenServices(clientResources.getResource().getUserInfoUri(), clientResources.getClient().getClientId());
        esiaUserInfoTokenServices.setRestTemplate(oAuth2RestTemplate);
        AuthoritiesPrincipalExtractor principalKeys = new AuthoritiesPrincipalExtractor(this.esiaUserDetailsService, "ESIA").setPrincipalKeys(new String[]{"snils"});
        esiaUserInfoTokenServices.setAuthoritiesExtractor(principalKeys);
        esiaUserInfoTokenServices.setPrincipalExtractor(principalKeys);
        gatewayOAuth2ClientAuthenticationProcessingFilter.setTokenServices(esiaUserInfoTokenServices);
        return gatewayOAuth2ClientAuthenticationProcessingFilter;
    }

    @Bean
    public UserAccessor userAccessor() {
        return () -> {
            String str = "-";
            String str2 = "-";
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication != null && authentication.getPrincipal() != null) {
                if (authentication.getPrincipal() instanceof User) {
                    User user = (User) authentication.getPrincipal();
                    str2 = user.getEmail();
                    str = user.getUsername();
                } else {
                    str2 = authentication.getPrincipal();
                }
            }
            return new ru.i_novus.ms.audit.client.model.User(str2, str);
        };
    }
}
