package org.apache.causeway.security.keycloak;

import java.util.Collections;
import java.util.List;
import java.util.Objects;
import org.apache.causeway.core.config.CausewayConfiguration;
import org.apache.causeway.core.runtimeservices.CausewayModuleCoreRuntimeServices;
import org.apache.causeway.core.security.authentication.login.LoginSuccessHandlerUNUSED;
import org.apache.causeway.core.webapp.CausewayModuleCoreWebapp;
import org.apache.causeway.security.keycloak.handler.LogoutHandlerForKeycloak;
import org.apache.causeway.security.keycloak.services.KeycloakOauth2UserService;
import org.apache.causeway.security.spring.CausewayModuleSecuritySpring;
import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.MappedJwtClaimSetConverter;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.Assert;

@Configuration
@EnableWebSecurity
@Import({CausewayModuleCoreRuntimeServices.class, CausewayModuleCoreWebapp.class, LogoutHandlerForKeycloak.class, CausewayModuleSecuritySpring.class})
/* loaded from: input_file:org/apache/causeway/security/keycloak/CausewayModuleSecurityKeycloak.class */
public class CausewayModuleSecurityKeycloak {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity, CausewayConfiguration causewayConfiguration, KeycloakOauth2UserService keycloakOauth2UserService, List<LoginSuccessHandlerUNUSED> list, List<LogoutHandler> list2) throws Exception {
        String loginSuccessUrl = causewayConfiguration.getSecurity().getKeycloak().getLoginSuccessUrl();
        String str = "/oauth2/authorization/" + causewayConfiguration.getSecurity().getKeycloak().getRealm();
        LogoutConfigurer logoutRequestMatcher = ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and().authorizeHttpRequests().anyRequest()).authenticated().and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
        Objects.requireNonNull(logoutRequestMatcher);
        list2.forEach(logoutRequestMatcher::addLogoutHandler);
        logoutRequestMatcher.and().oauth2Login().defaultSuccessUrl(loginSuccessUrl, true).successHandler(new SavedRequestAwareAuthenticationSuccessHandler()).userInfoEndpoint().oidcUserService(keycloakOauth2UserService).and().loginPage(str);
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    KeycloakOauth2UserService keycloakOidcUserService(OAuth2ClientProperties oAuth2ClientProperties, CausewayConfiguration causewayConfiguration) {
        NimbusJwtDecoder createNimbusJwtDecoder = createNimbusJwtDecoder(((OAuth2ClientProperties.Provider) oAuth2ClientProperties.getProvider().get("keycloak")).getJwkSetUri(), "RS256");
        SimpleAuthorityMapper simpleAuthorityMapper = new SimpleAuthorityMapper();
        simpleAuthorityMapper.setConvertToUpperCase(true);
        return new KeycloakOauth2UserService(createNimbusJwtDecoder, simpleAuthorityMapper, causewayConfiguration);
    }

    private static NimbusJwtDecoder createNimbusJwtDecoder(String str, String str2) {
        Assert.hasText(str, "jwkSetUrl cannot be empty");
        OAuth2TokenValidator createDefault = JwtValidators.createDefault();
        MappedJwtClaimSetConverter withDefaults = MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());
        NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(str).jwsAlgorithm(SignatureAlgorithm.from(str2)).build();
        build.setClaimSetConverter(withDefaults);
        build.setJwtValidator(createDefault);
        return build;
    }
}
