package org.apache.isis.security.keycloak;

import java.util.List;
import java.util.Objects;
import org.apache.isis.core.config.IsisConfiguration;
import org.apache.isis.core.runtimeservices.IsisModuleCoreRuntimeServices;
import org.apache.isis.core.security.authentication.login.LoginSuccessHandlerUNUSED;
import org.apache.isis.core.webapp.IsisModuleCoreWebapp;
import org.apache.isis.security.keycloak.handler.LogoutHandlerForKeycloak;
import org.apache.isis.security.keycloak.services.KeycloakOauth2UserService;
import org.apache.isis.security.spring.IsisModuleSecuritySpring;
import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@EnableWebSecurity
@Import({IsisModuleCoreRuntimeServices.class, IsisModuleCoreWebapp.class, LogoutHandlerForKeycloak.class, IsisModuleSecuritySpring.class})
/* loaded from: input_file:org/apache/isis/security/keycloak/IsisModuleSecurityKeycloak.class */
public class IsisModuleSecurityKeycloak {

    /* loaded from: input_file:org/apache/isis/security/keycloak/IsisModuleSecurityKeycloak$KeycloakWebSecurityConfigurerAdapter.class */
    public static class KeycloakWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        private final KeycloakOauth2UserService keycloakOidcUserService;
        private final List<LogoutHandler> logoutHandlers;
        private final IsisConfiguration isisConfiguration;

        public void configure(HttpSecurity httpSecurity) throws Exception {
            String loginSuccessUrl = this.isisConfiguration.getSecurity().getKeycloak().getLoginSuccessUrl();
            String str = "/oauth2/authorization/" + this.isisConfiguration.getSecurity().getKeycloak().getRealm();
            LogoutConfigurer logoutRequestMatcher = ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and().authorizeRequests().anyRequest()).authenticated().and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
            List<LogoutHandler> list = this.logoutHandlers;
            Objects.requireNonNull(logoutRequestMatcher);
            list.forEach(logoutRequestMatcher::addLogoutHandler);
            logoutRequestMatcher.and().oauth2Login().defaultSuccessUrl(loginSuccessUrl, true).successHandler(new SavedRequestAwareAuthenticationSuccessHandler()).userInfoEndpoint().oidcUserService(this.keycloakOidcUserService).and().loginPage(str);
        }

        public KeycloakWebSecurityConfigurerAdapter(KeycloakOauth2UserService keycloakOauth2UserService, List<LogoutHandler> list, IsisConfiguration isisConfiguration) {
            this.keycloakOidcUserService = keycloakOauth2UserService;
            this.logoutHandlers = list;
            this.isisConfiguration = isisConfiguration;
        }
    }

    @Bean
    public WebSecurityConfigurerAdapter webSecurityConfigurer(IsisConfiguration isisConfiguration, KeycloakOauth2UserService keycloakOauth2UserService, List<LoginSuccessHandlerUNUSED> list, List<LogoutHandler> list2) {
        isisConfiguration.getSecurity().getKeycloak().getRealm();
        return new KeycloakWebSecurityConfigurerAdapter(keycloakOauth2UserService, list2, isisConfiguration);
    }

    @Bean
    KeycloakOauth2UserService keycloakOidcUserService(OAuth2ClientProperties oAuth2ClientProperties) {
        NimbusJwtDecoderJwkSupport nimbusJwtDecoderJwkSupport = new NimbusJwtDecoderJwkSupport(((OAuth2ClientProperties.Provider) oAuth2ClientProperties.getProvider().get("keycloak")).getJwkSetUri());
        SimpleAuthorityMapper simpleAuthorityMapper = new SimpleAuthorityMapper();
        simpleAuthorityMapper.setConvertToUpperCase(true);
        return new KeycloakOauth2UserService(nimbusJwtDecoderJwkSupport, simpleAuthorityMapper);
    }
}
