package org.apache.streampipes.service.extensions.security;

import org.apache.streampipes.commons.environment.Environment;
import org.apache.streampipes.commons.environment.Environments;
import org.apache.streampipes.commons.environment.variable.StringEnvironmentVariable;
import org.apache.streampipes.service.base.security.UnauthorizedRequestEntryPoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
/* loaded from: input_file:org/apache/streampipes/service/extensions/security/WebSecurityConfig.class */
public class WebSecurityConfig {
    private static final Logger LOG = LoggerFactory.getLogger(WebSecurityConfig.class);
    private final UserDetailsService userDetailsService = str -> {
        return null;
    };
    private Environment env = Environments.getEnvironment();

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.userDetailsService(this.userDetailsService);
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        if (isAnonymousAccess()) {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().disable().formLogin().disable().httpBasic().disable().authorizeHttpRequests().requestMatchers(new String[]{"/**"})).permitAll();
        } else {
            httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().disable().formLogin().disable().httpBasic().disable().exceptionHandling().authenticationEntryPoint(new UnauthorizedRequestEntryPoint()).and().authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers((RequestMatcher[]) UnauthenticatedInterfaces.get().stream().map(AntPathRequestMatcher::new).toList().toArray(new AntPathRequestMatcher[0]))).permitAll().anyRequest()).authenticated().and().addFilterBefore(tokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
            });
        }
        return (SecurityFilterChain) httpSecurity.build();
    }

    private boolean isAnonymousAccess() {
        StringEnvironmentVariable extensionsAuthMode = this.env.getExtensionsAuthMode();
        if (!extensionsAuthMode.exists() || !((String) extensionsAuthMode.getValue()).equals("AUTH")) {
            LOG.info("Configured anonymous access for this service, consider providing an authentication option.");
            return true;
        }
        if (this.env.getJwtPublicKeyLoc().exists()) {
            LOG.info("Configured service for authenticated access mode");
            return false;
        }
        LOG.warn("No env variable {} provided, which is required for authenticated access. Defaulting to anonymous access.", this.env.getJwtPublicKeyLoc().getEnvVariableName());
        return true;
    }

    public TokenAuthenticationFilter tokenAuthenticationFilter() {
        return new TokenAuthenticationFilter();
    }

    @Bean({"org.springframework.security.userDetailsService"})
    public UserDetailsService userDetailsService() {
        return this.userDetailsService;
    }
}
